dcrat | 386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55

Analysis

max time kernel
121s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
Size

10.8MB
MD5

55672946ffc3fa0b0c7670bf37d45225
SHA1

669cba1aad9659aeff1a94b584b0e7ad3acb7c79
SHA256

386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55
SHA512

24a9b4461cd2b6942c681a70a9aea88b4715d8f42498ae546453739bae1faab20ce7ec9a248be35141cabc715aaf932a2294bc3fdd228d58fee7fd6e9343e6e7
SSDEEP

49152:Y7dvDhzETOIntW9y3yP2QAuxQzxEzwYjiwVTkO2kZBtk8hsuIm49DWm/S52LKN1o:

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\Music\\drivEn414.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\Music\\drivEn414.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\sppsvc.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\Music\\drivEn414.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\""	containerwebruntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1524	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1524	schtasks.exe	38

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
2648	powershell.exe
1512	powershell.exe
1484	powershell.exe
3040	powershell.exe
592	powershell.exe
2728	powershell.exe
2680	powershell.exe
2608	powershell.exe
1144	powershell.exe
2672	powershell.exe
1436	powershell.exe
2884	powershell.exe
1664	powershell.exe
2600	powershell.exe
2164	powershell.exe
2068	powershell.exe
2624	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
3068	sqls414.exe
2688	drivEn414.exe
848	containerwebruntime.exe
2272	WmiPrvSE.exe

Loads dropped DLL 8 IoCs

pid	Process
2688	drivEn414.exe
2688	drivEn414.exe
2688	drivEn414.exe
2688	drivEn414.exe
2688	drivEn414.exe
2688	drivEn414.exe
2152	cmd.exe
2152	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\drivEn414 = "\"C:\\Users\\Public\\Music\\drivEn414.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drivEn414 = "\"C:\\Users\\Public\\Music\\drivEn414.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Vss\\Writers\\Application\\sppsvc.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Vss\\Writers\\Application\\sppsvc.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE38EE99E7A094F5E968548DE5D1B4C9.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\sppsvc.exe	containerwebruntime.exe
File opened for modification	C:\Windows\Vss\Writers\Application\sppsvc.exe	containerwebruntime.exe
File created	C:\Windows\Vss\Writers\Application\0a1fd5f707cd16	containerwebruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqls414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivEn414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2904	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3064	schtasks.exe
484	schtasks.exe
2780	schtasks.exe
2828	schtasks.exe
2632	schtasks.exe
2652	schtasks.exe
2516	schtasks.exe
3008	schtasks.exe
2836	schtasks.exe
2484	schtasks.exe
2084	schtasks.exe
3032	schtasks.exe
2644	schtasks.exe
576	schtasks.exe
2176	schtasks.exe
1972	schtasks.exe
2244	schtasks.exe
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe
848	containerwebruntime.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	drivEn414.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	containerwebruntime.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2272	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3068	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2380 wrote to memory of 3068	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2380 wrote to memory of 3068	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2380 wrote to memory of 3068	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 2380 wrote to memory of 2688	2380	386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	32
PID 3068 wrote to memory of 2868	3068	sqls414.exe	33
PID 3068 wrote to memory of 2868	3068	sqls414.exe	33
PID 3068 wrote to memory of 2868	3068	sqls414.exe	33
PID 3068 wrote to memory of 2868	3068	sqls414.exe	33
PID 2868 wrote to memory of 2152	2868	WScript.exe	34
PID 2868 wrote to memory of 2152	2868	WScript.exe	34
PID 2868 wrote to memory of 2152	2868	WScript.exe	34
PID 2868 wrote to memory of 2152	2868	WScript.exe	34
PID 2152 wrote to memory of 2904	2152	cmd.exe	36
PID 2152 wrote to memory of 2904	2152	cmd.exe	36
PID 2152 wrote to memory of 2904	2152	cmd.exe	36
PID 2152 wrote to memory of 2904	2152	cmd.exe	36
PID 2152 wrote to memory of 848	2152	cmd.exe	37
PID 2152 wrote to memory of 848	2152	cmd.exe	37
PID 2152 wrote to memory of 848	2152	cmd.exe	37
PID 2152 wrote to memory of 848	2152	cmd.exe	37
PID 848 wrote to memory of 768	848	containerwebruntime.exe	42
PID 848 wrote to memory of 768	848	containerwebruntime.exe	42
PID 848 wrote to memory of 768	848	containerwebruntime.exe	42
PID 768 wrote to memory of 804	768	csc.exe	44
PID 768 wrote to memory of 804	768	csc.exe	44
PID 768 wrote to memory of 804	768	csc.exe	44
PID 848 wrote to memory of 2608	848	containerwebruntime.exe	60
PID 848 wrote to memory of 2608	848	containerwebruntime.exe	60
PID 848 wrote to memory of 2608	848	containerwebruntime.exe	60
PID 848 wrote to memory of 2068	848	containerwebruntime.exe	61
PID 848 wrote to memory of 2068	848	containerwebruntime.exe	61
PID 848 wrote to memory of 2068	848	containerwebruntime.exe	61
PID 848 wrote to memory of 2624	848	containerwebruntime.exe	62
PID 848 wrote to memory of 2624	848	containerwebruntime.exe	62
PID 848 wrote to memory of 2624	848	containerwebruntime.exe	62
PID 848 wrote to memory of 2648	848	containerwebruntime.exe	63
PID 848 wrote to memory of 2648	848	containerwebruntime.exe	63
PID 848 wrote to memory of 2648	848	containerwebruntime.exe	63
PID 848 wrote to memory of 2672	848	containerwebruntime.exe	64
PID 848 wrote to memory of 2672	848	containerwebruntime.exe	64
PID 848 wrote to memory of 2672	848	containerwebruntime.exe	64
PID 848 wrote to memory of 2680	848	containerwebruntime.exe	65
PID 848 wrote to memory of 2680	848	containerwebruntime.exe	65
PID 848 wrote to memory of 2680	848	containerwebruntime.exe	65
PID 848 wrote to memory of 2728	848	containerwebruntime.exe	66
PID 848 wrote to memory of 2728	848	containerwebruntime.exe	66
PID 848 wrote to memory of 2728	848	containerwebruntime.exe	66
PID 848 wrote to memory of 2164	848	containerwebruntime.exe	67
PID 848 wrote to memory of 2164	848	containerwebruntime.exe	67
PID 848 wrote to memory of 2164	848	containerwebruntime.exe	67
PID 848 wrote to memory of 2884	848	containerwebruntime.exe	68
PID 848 wrote to memory of 2884	848	containerwebruntime.exe	68
PID 848 wrote to memory of 2884	848	containerwebruntime.exe	68
PID 848 wrote to memory of 592	848	containerwebruntime.exe	69
PID 848 wrote to memory of 592	848	containerwebruntime.exe	69
PID 848 wrote to memory of 592	848	containerwebruntime.exe	69
PID 848 wrote to memory of 3040	848	containerwebruntime.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
"C:\Users\Admin\AppData\Local\Temp\386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\sqls414.exe
  "C:\Users\Admin\AppData\Local\Temp\sqls414.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2904
    - - C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe
        
        "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet/containerwebruntime.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qahuresm\qahuresm.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D19.tmp" "c:\Windows\System32\CSCE38EE99E7A094F5E968548DE5D1B4C9.TMP"
        7⤵
        
        PID:804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\drivEn414.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IZ6zoBjP2r.bat"
        6⤵
        
        PID:1296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2780
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
- C:\Users\Admin\AppData\Local\Temp\drivEn414.exe
  "C:\Users\Admin\AppData\Local\Temp\drivEn414.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "drivEn414d" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\drivEn414.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "drivEn414" /sc ONLOGON /tr "'C:\Users\Public\Music\drivEn414.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "drivEn414d" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\drivEn414.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntime" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IZ6zoBjP2r.bat

Filesize
237B

MD5
5d25e2a19794ff1f2e49770984bfb02b

SHA1
1cfcebc1e27190713814295d67c175a3e0b20bca

SHA256
b13484b3f666898c5ec1d2d472013bd3c0338cd200f9ba091efa052006af57f9

SHA512
37c7c39030472d341c460efc402690e574747f12fca335e06ff08aaec71a3b14a9c5830344b4ae15cbf2797f16efbdd47a79932e25572f718c3aa27872996182

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D19.tmp

Filesize
1KB

MD5
8a27abdaaebcb4b04ba54d813ea69bb5

SHA1
c99b91f440b45c27a55b07b78bd712960419e02c

SHA256
09094f9c7b50031572b98c2c64129478de86e7767f6823ccd566caa57d00b119

SHA512
e747a0432238e069dfc36fa1ec8c6fe8e1b820384f2774c643e663d2580c4c67e50408351d02247a4440b404211575e19a19c918592cb1a032e42fb319c39d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivEn414.exe

Filesize
1.8MB

MD5
5036e609163e98f3ac06d5e82b677df8

SHA1
176db10a4cda7104f24eece2d87e1a664b7fb929

SHA256
b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

SHA512
40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD413.tmp\InstallOptions.ini

Filesize
1KB

MD5
9dfd1ee892ab31effba0b1c1cd4dfffd

SHA1
d8a7e872c03e0a7cdd9a58ddee0bba7e91921bc5

SHA256
9814593512395dbf754c83a17a45937e849fb20b27bcc3a9873833649a0bf462

SHA512
6aa7b53362b30045a15c1dcc2806fed0314b035e900238051b86e33618500dd978e8df4a485624461155deacc87b98117d3b61868b97cc8e02f9700ed3189226

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD413.tmp\InstallOptions.ini

Filesize
1KB

MD5
e2808f4be298a32ae279ee9ebacd0a0c

SHA1
b7929c346ba7a7aa690a766e4f70bc1d44f75460

SHA256
99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

SHA512
a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls414.exe

Filesize
2.2MB

MD5
a79959f25eda4401d0f5e7b370d6c613

SHA1
d2f9766917469c7b14bf3300304f3e305977deec

SHA256
0bc4be6a914008d39b8934bf6032d64f82d839dd42a441a51eabe3d7deaf4a32

SHA512
261945ccac0c43458f6b4530b0ffe72f25bff08b1d7f75d126cbfc05b30172aff097e5a0c216d11f97042c91c8eedc95956ce4e82ffac84646bddd8c7326e0a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d41e96a3b2a8e1f43f25740f57518e33

SHA1
94cbfc39ab224bd81cd56be91e5ee131badc1ecd

SHA256
f6288957c55c30a83f740ce5f8124e354fb2ba2d6f1e2ac85d0c5ea377561ac3

SHA512
6bfdd9df5ce3cabcdd570c7ade79a16e2cacbfa43473aa9a493f3c670859edc58c6d5647c1313dd47f6e35ac3d29de5d02a1c32b8c40bf3bc99d09246f0ec8e9

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat

Filesize
213B

MD5
fe3af328a3c1ad2712245ea437d47613

SHA1
2b79946a9b86296cc85a5b42cd4eb5ec750d0af8

SHA256
23e6b4ab5963d8273c7fc2c2bc8cc00f43b52d394008c48d61b0566a9562d41a

SHA512
b7677891c88966e435f55a15ff83cb6b1cbe5f67b58745f95e2a4814dcf1a2f123395dc9841a24e237cc17e3609836f08e6dfb606c35c47a54d62e38ed2b6b8d

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe

Filesize
226B

MD5
41bb352391fb715e18562592b8a1eaef

SHA1
b836dceab0d0c78ebc4c47894f2fe8d06d4fcf68

SHA256
f72b4ad1bb1a2d8e3b4e03082f05aac7767465b862c43b69b18cfe75df3c184c

SHA512
010bc79e98cc43aed0d9ac3cb5ca6011bc04cda0f6322faa2dec0c2d5d692ce07985b7806ffcbec8d76de7c90e7b88332d52ab665ea557c506c194bfcb0995ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qahuresm\qahuresm.0.cs

Filesize
393B

MD5
5629152401ac0007241f7545103796b2

SHA1
8221e3b5f6a61bbbd259268f0f985ce26321a589

SHA256
1663e2ff3042bfab114a4ac9641382cccf20abd1108629fd415e3fecb9687eeb

SHA512
696e1867e27b24fd8ab2358b9558b124e7093b656af4525a24081bda10535f0ec20c3bb4582a99156175fde535121bddceea62c1eae36e98b63056c8bd6efcdf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qahuresm\qahuresm.cmdline

Filesize
235B

MD5
fdaea0c281dbb3faa82dabb37292f3d9

SHA1
3d0df2db320b320a63450f6d0ed7b524425c9863

SHA256
b8e72c2c70617bacfcbfb5f1e50800a958787ffd76c39711b61b3d4ac83271d2

SHA512
d3773b98f62dfbf2c0f75e6cc421e1fa78454e9dba4af7c89edaf920021799c00c7403c0583cf34950ac0c94fcaea36b24b098ff12b68886b78f95d62c351d41

Download Submit
\??\c:\Windows\System32\CSCE38EE99E7A094F5E968548DE5D1B4C9.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\Users\Admin\AppData\Local\Temp\nstD413.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nstD413.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nstD413.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe

Filesize
1.9MB

MD5
77967721ce1c8b3f0eb800bd33527897

SHA1
6cace6db7c38ec0f438b9d7a2a323a90e703a904

SHA256
524fdb6f99ba45ba54d3445bffb08d32f63e0642516da16d4b31b8ba22325bd7

SHA512
5c0c90952462704c879125ebf9102796608dd7d8722f84183706bcb4748057ed23894e00f1d6b078ab8d8e7089b818cf9fde7090302e83b5d0431418ec833165

Download Submit
memory/848-207-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/848-199-0x0000000000EE0000-0x00000000010D6000-memory.dmp

Filesize
2.0MB

Download
memory/848-209-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/848-211-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/848-203-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/848-201-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/848-205-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2272-333-0x0000000001110000-0x0000000001306000-memory.dmp

Filesize
2.0MB

Download
memory/2380-0-0x000007FEF5F8E000-0x000007FEF5F8F000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-3-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-13-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-269-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2672-253-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download