Overview

overview

10

Static

static

10

CheckTest.exe

windows10-ltsc 2021-x64

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-12-2024 17:40

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    CheckTest.exe

  • Size

    60KB

  • MD5

    a149091ddbbf8a023adf75cdc7678f73

  • SHA1

    260e9073577aeb16d041a77dd38bb90f03c7f856

  • SHA256

    0d37563cf9648338bf0e1f6f4a4463d4ffad04528fc0dc5f5939ea4d71199e30

  • SHA512

    56b198e9f90b26461b62cb8160b4e2e12b2c35a7a17967b5a7dc51d4d3d2c8d8028cf0dd7abb572fc77c0938e06d5e8454c81891c7adc84560d9d8e30ed4a3ef

  • SSDEEP

    1536:7jOuFsPymlKEgGbETDZDkb5eRfrwh5BOVC0S5p:7jmzKVH5kb5TVOVFS5p

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/vJmE27fr

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CheckTest.exe
    "C:\Users\Admin\AppData\Local\Temp\CheckTest.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Users\Admin\AppData\Local\Temp\GN1SCLCDC8ZECT7.exe
      "C:\Users\Admin\AppData\Local\Temp\GN1SCLCDC8ZECT7.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GN1SCLCDC8ZECT7" /tr "C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3236
    • C:\Users\Admin\AppData\Local\Temp\71Z954GWX8I7DYV.exe
      "C:\Users\Admin\AppData\Local\Temp\71Z954GWX8I7DYV.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5vxoyert\5vxoyert.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4580
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70E5.tmp" "c:\Users\Admin\AppData\Roaming\CSC55CA4AFD6A24A858B532C1289184343.TMP"
                7⤵
                  PID:2268
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvqxdzyz\fvqxdzyz.cmdline"
                6⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:4632
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7153.tmp" "c:\Windows\System32\CSC64BC9066E56540B6A926C0DECC7A1A9.TMP"
                  7⤵
                    PID:1700
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1620
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\uk-UA\SppExtComObj.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4480
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\spoolsv.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3444
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\sppsvc.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2288
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\hyperSurrogateagentCrt.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2452
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1952
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EbNewsvJyY.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2264
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:3376
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:4880
                      • C:\Recovery\OEM\spoolsv.exe
                        "C:\Recovery\OEM\spoolsv.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:4568
            • C:\Users\Admin\AppData\Local\Temp\JQQHLO3ZR9X3WLV.exe
              "C:\Users\Admin\AppData\Local\Temp\JQQHLO3ZR9X3WLV.exe"
              2⤵
              • Executes dropped EXE
              PID:3688
            • C:\Users\Admin\AppData\Local\Temp\QZPW7YDS81W15NL.exe
              "C:\Users\Admin\AppData\Local\Temp\QZPW7YDS81W15NL.exe"
              2⤵
              • Executes dropped EXE
              PID:4620
            • C:\Users\Admin\AppData\Local\Temp\VXPZL5KFMI7SEPU.exe
              "C:\Users\Admin\AppData\Local\Temp\VXPZL5KFMI7SEPU.exe"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2176
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4776
          • C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe
            "C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2820
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1008
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\OEM\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\OEM\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\OEM\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\HypercomponentCommon\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\HypercomponentCommon\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2196
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2808
          • C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe
            "C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4804
            • C:\Recovery\WindowsRE\RuntimeBroker.exe
              "C:\Recovery\WindowsRE\RuntimeBroker.exe"
              2⤵
              • Executes dropped EXE
              PID:1596
            • C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe.exe
              "C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:2920
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa39d2855 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:2336

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          4
          T1012

          System Information Discovery

          4
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GN1SCLCDC8ZECT7.exe.log
            Filesize

            654B

            MD5

            11c6e74f0561678d2cf7fc075a6cc00c

            SHA1

            535ee79ba978554abcb98c566235805e7ea18490

            SHA256

            d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

            SHA512

            32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            3eb3833f769dd890afc295b977eab4b4

            SHA1

            e857649b037939602c72ad003e5d3698695f436f

            SHA256

            c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

            SHA512

            c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            60b3262c3163ee3d466199160b9ed07d

            SHA1

            994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

            SHA256

            e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

            SHA512

            081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            6a807b1c91ac66f33f88a787d64904c1

            SHA1

            83c554c7de04a8115c9005709e5cd01fca82c5d3

            SHA256

            155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

            SHA512

            29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\71Z954GWX8I7DYV.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\EbNewsvJyY.bat
            Filesize

            203B

            MD5

            0b48822fc1e7103d4343d760279a6ac5

            SHA1

            a0cafe97461d57a510d2f31e0b076b9e484f0f81

            SHA256

            80233cc417b92584f1aa96b6cbfbb033a614016b2c27945768d5375d932d9322

            SHA512

            a5648fe6cfcc536527aff7afbf9ddffa5315cdd4182dd03722b816d73c0dca037c497a5a9183743b72d8be4aac43e1d3d59e72daf76705796666f6c57b7ed436

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\GN1SCLCDC8ZECT7.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES70E5.tmp
            Filesize

            1KB

            MD5

            dfcac0bf90b377cd208d746c5bb4ee6a

            SHA1

            27defcf956d81a33103c7438571b855dcc9fc31b

            SHA256

            fabc48bc0fe0e8fb851d392a51de36f4513845c27b5e6c3503365a01af126c29

            SHA512

            6f13a723e34b70d3e2d0392e5f0e9b5131973302b3939717c93f58a0b47f7a35a93f0d4b3322e8778f8705c12ca2a32d5313889477b3c011c0eeb7883364112c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES7153.tmp
            Filesize

            1KB

            MD5

            abf5c94c08d70b0292c7da8e8363cd7c

            SHA1

            8c9ec41e860b3f6162ca3fcd937154ce564cb3fa

            SHA256

            9eefc73a47c057a9706034c206ef6d0337d473bae180e04f178c11fbe9203317

            SHA512

            9e59335572c9c1c9edd2c31c6e6941a74c7173c875124aba265eb55cccdc8a6804886a1dfd325907e2996210632eade936f709227dc18eb0fda463d2a552ed5e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcmddrqv.dtv.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\GN1SCLCDC8ZECT7.exe
            Filesize

            4KB

            MD5

            9946354e3be18bf60138a1aabe372f88

            SHA1

            063b385d257559d6611368e14044095cc616e2db

            SHA256

            f2f35bd3a6412f06bc2da29eb657525b031dfc9fcff15a8ad2c0e888f479d307

            SHA512

            84adb810b3c26c68478fbf9de24286b878648e35113fd3242b3d0c54622428ba9a9216113fb33688c343ed0ef3ac55062b7fb104f23a4f236a351de00d5943b5

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\5vxoyert\5vxoyert.0.cs
            Filesize

            391B

            MD5

            36392a78859a38ebd93542860a2351ec

            SHA1

            f867feea60f113fa0f805235db3166aab76e92a9

            SHA256

            e09944741dccda4aea07d617c58e530c669b529c02ed8f516db69efb45807224

            SHA512

            e6f65db0c8044590d4bfba26fcec442de2bca3f3fbac3442c38e9e14fc08b1fff56779c88efc4ce79909f2fadc5fa3473d238ff55a28a37391f0fee77013c8f7

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\5vxoyert\5vxoyert.cmdline
            Filesize

            255B

            MD5

            2e987b2f8d43dba8e845572f9a0c2c9d

            SHA1

            8f77feb9535073a5fe7c28431a55b58576fbffa5

            SHA256

            fbc44241b5276f2f4434b777b350ae759992a4a3a0393374338aabfb2231c94a

            SHA512

            a7870345ba19a7d0da7a7b456f72464477644d12b60585bc56ca14f3c551042c42e9e05761cf6bbf611c1398783aac2991b23c0b53b9663548027d670f9dfed0

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\fvqxdzyz\fvqxdzyz.0.cs
            Filesize

            371B

            MD5

            b769cc3108d00ae2ccfa42f6b29f3f96

            SHA1

            035db2e0da0b1ca1e441a4370532708802f503d7

            SHA256

            ba34536521ee8fb1243da9a6df042d481edeb0833484c0a0a7df056296ade0bd

            SHA512

            41d183c70e1318d5c20da5aa0dbc4aabad2112ada1053fe890d8a9efdf76cd6032370111f1705006e65f6cdbcb02fb143c8a704580c324f97133304bda4bc9c5

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\fvqxdzyz\fvqxdzyz.cmdline
            Filesize

            235B

            MD5

            4dadd3b2aea621b84163cb53d698dcfc

            SHA1

            652196504ab9359e865d7976a30d64c560b8be29

            SHA256

            703e1d4eb225a4e403cd06f51427f2196d809f897e72d2bc200aa57b8a829578

            SHA512

            491efbbc87f0357ca1f3934acdd855a0759a931e51da47f2b6f82aa1c8d4189d5a2abd7dbeda3efe95b36aed47cd65d26bbf9c25a6dd880232c7db7437d696fc

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC55CA4AFD6A24A858B532C1289184343.TMP
            Filesize

            1KB

            MD5

            cd5c568b89997ec3a5073cefb07240b8

            SHA1

            a9fefd58f8e021274f70b87e8d7f0b28f7c5aa05

            SHA256

            5809ac2e8cb6c5b2df0f4af2cdd4484d0c4189df041c58b9b50b3c7a62e95082

            SHA512

            7b23e2a491ee03bd1eba8c174e9f9990863935dc70891a086ce9d1da3d6715c298e084f03ba2c77a3f47594988aa00ca8e5002e79963d1190066efa2c8b02ce3

            Download Submit

          • \??\c:\Windows\System32\CSC64BC9066E56540B6A926C0DECC7A1A9.TMP
            Filesize

            1KB

            MD5

            9f0d150a662e62a2badf0a9e7a83c6f3

            SHA1

            9509703c8bb53844e55a2db17b11f2caa44379cb

            SHA256

            127604fbf229e43bb67223a83d811c6106b64dcd386ec28739d2fb3a5131ce38

            SHA512

            a49a9febb165bb51ece0cd4f6e09cc60b11c9cadb9a11e383d7b426f7e1ebd0d7be7cf2d9bf845a983f6c9ad052741cb1cba7e7926e4466fc819073fe4eef18f

            Download Submit

          • memory/1952-126-0x00000206F99B0000-0x00000206F99D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2676-32-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2676-31-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2676-241-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2676-21-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2676-20-0x0000000000590000-0x00000000005C4000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2676-30-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4476-190-0x000000001D2D0000-0x000000001D2DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4476-3-0x00007FFB13E33000-0x00007FFB13E35000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4476-0-0x00007FFB13E33000-0x00007FFB13E35000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4476-242-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4476-209-0x000000001ECA0000-0x000000001F1C8000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4476-1-0x0000000000DF0000-0x0000000000E06000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4476-2-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4476-5-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4476-4-0x00007FFB13E30000-0x00007FFB148F2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4804-194-0x0000000000840000-0x0000000000848000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4984-73-0x00000000017D0000-0x00000000017DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4984-69-0x0000000003010000-0x0000000003028000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4984-67-0x000000001BF90000-0x000000001BFE0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4984-62-0x0000000000DA0000-0x0000000000F86000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/4984-66-0x0000000002FF0000-0x000000000300C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4984-71-0x00000000017B0000-0x00000000017BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4984-64-0x00000000017A0000-0x00000000017AE000-memory.dmp

            Filesize

            56KB

            Download