Overview

overview

10

Static

static

3

386878a415...55.exe

windows7-x64

10

386878a415...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe

  • Size

    10.8MB

  • MD5

    55672946ffc3fa0b0c7670bf37d45225

  • SHA1

    669cba1aad9659aeff1a94b584b0e7ad3acb7c79

  • SHA256

    386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55

  • SHA512

    24a9b4461cd2b6942c681a70a9aea88b4715d8f42498ae546453739bae1faab20ce7ec9a248be35141cabc715aaf932a2294bc3fdd228d58fee7fd6e9343e6e7

  • SSDEEP

    49152:Y7dvDhzETOIntW9y3yP2QAuxQzxEzwYjiwVTkO2kZBtk8hsuIm49DWm/S52LKN1o:

Score
10/10
dcratdiscoveryevasionexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
    "C:\Users\Admin\AppData\Local\Temp\386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\sqls287.exe
      "C:\Users\Admin\AppData\Local\Temp\sqls287.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4656
          • C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe
            "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet/containerwebruntime.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4868
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52jn0jqz\52jn0jqz.cmdline"
              6⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1780
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC42.tmp" "c:\Windows\System32\CSC536C2CC4B6C340AD967C5DCA7F5B9DB9.TMP"
                7⤵
                  PID:1524
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3464
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3668
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2992
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2848
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4756
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3932
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:552
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2156
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2452
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3560
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1060
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:812
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4436
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\csrss.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2180
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\csrss.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4676
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4492
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3676
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IFjh6HEAyw.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2508
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:5148
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:5372
                  • C:\Windows\Performance\WinSAT\csrss.exe
                    "C:\Windows\Performance\WinSAT\csrss.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5980
        • C:\Users\Admin\AppData\Local\Temp\drivEn480.exe
          "C:\Users\Admin\AppData\Local\Temp\drivEn480.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2236
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2304
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "containerwebruntime" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5064

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        62623d22bd9e037191765d5083ce16a3

        SHA1

        4a07da6872672f715a4780513d95ed8ddeefd259

        SHA256

        95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

        SHA512

        9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2e907f77659a6601fcc408274894da2e

        SHA1

        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

        SHA256

        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

        SHA512

        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IFjh6HEAyw.bat
        Filesize

        167B

        MD5

        1c6c67bd396c93a0e3f38783f0c75164

        SHA1

        f9d132a7c3e1a7a7540f6e194d2a11cddbba6a45

        SHA256

        88c8a602faa8ce891419852b99965dfd18758424ceccc8b9857c594dbd97a320

        SHA512

        d04d0f2202d5224696bd7915201bff3e1999a794219767cfbf3daa655c94c186a18dfa47eeda16508a4385d46d5fd0350d75a04c32d1c11db469aa6287130d5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESFC42.tmp
        Filesize

        1KB

        MD5

        e06e6897566cc6c37aab8fb17517dda6

        SHA1

        20f2cbf181d56f94dcf21d83519f31725a42b9be

        SHA256

        7f81dcfa7e86d2bcd548b0886f5c7d09293b95c4ce69965c12838f6f230b8714

        SHA512

        cda4eab6ed39063c1aee54ea626838a46d58e23ee74263c39b03847dd2caef8823bccf8763e1c2459aab80576fd6c085a7c7ef6dd3cf496320ba8f123672d6cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ktpnhem.v0u.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\drivEn480.exe
        Filesize

        1.8MB

        MD5

        5036e609163e98f3ac06d5e82b677df8

        SHA1

        176db10a4cda7104f24eece2d87e1a664b7fb929

        SHA256

        b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

        SHA512

        40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsqA1C0.tmp\InstallOptions.dll
        Filesize

        15KB

        MD5

        ece25721125d55aa26cdfe019c871476

        SHA1

        b87685ae482553823bf95e73e790de48dc0c11ba

        SHA256

        c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

        SHA512

        4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsqA1C0.tmp\InstallOptions.ini
        Filesize

        1KB

        MD5

        e5dd53a41fdda8c5115dcf8da01f7a8f

        SHA1

        efa23f6884a510fb44b6ee6009d16bebcaa36427

        SHA256

        6e0e9bbbd5cddfba1b9aee31852e3ad8a7111104e6d9aaa93da58292f2875c23

        SHA512

        ae8c8a7ff6d9348e043ebf2706f2fb1438e9200617d808028a060cf2102aa2229e2ce47e154e6821f71688dd00671fa2953e563e56accff96179c921878e1224

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsqA1C0.tmp\InstallOptions.ini
        Filesize

        1KB

        MD5

        e2808f4be298a32ae279ee9ebacd0a0c

        SHA1

        b7929c346ba7a7aa690a766e4f70bc1d44f75460

        SHA256

        99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

        SHA512

        a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsqA1C0.tmp\LangDLL.dll
        Filesize

        5KB

        MD5

        68b287f4067ba013e34a1339afdb1ea8

        SHA1

        45ad585b3cc8e5a6af7b68f5d8269c97992130b3

        SHA256

        18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

        SHA512

        06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsqA1C0.tmp\System.dll
        Filesize

        12KB

        MD5

        cff85c549d536f651d4fb8387f1976f2

        SHA1

        d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

        SHA256

        8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

        SHA512

        531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sqls287.exe
        Filesize

        2.2MB

        MD5

        a79959f25eda4401d0f5e7b370d6c613

        SHA1

        d2f9766917469c7b14bf3300304f3e305977deec

        SHA256

        0bc4be6a914008d39b8934bf6032d64f82d839dd42a441a51eabe3d7deaf4a32

        SHA512

        261945ccac0c43458f6b4530b0ffe72f25bff08b1d7f75d126cbfc05b30172aff097e5a0c216d11f97042c91c8eedc95956ce4e82ffac84646bddd8c7326e0a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat
        Filesize

        213B

        MD5

        fe3af328a3c1ad2712245ea437d47613

        SHA1

        2b79946a9b86296cc85a5b42cd4eb5ec750d0af8

        SHA256

        23e6b4ab5963d8273c7fc2c2bc8cc00f43b52d394008c48d61b0566a9562d41a

        SHA512

        b7677891c88966e435f55a15ff83cb6b1cbe5f67b58745f95e2a4814dcf1a2f123395dc9841a24e237cc17e3609836f08e6dfb606c35c47a54d62e38ed2b6b8d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe
        Filesize

        226B

        MD5

        41bb352391fb715e18562592b8a1eaef

        SHA1

        b836dceab0d0c78ebc4c47894f2fe8d06d4fcf68

        SHA256

        f72b4ad1bb1a2d8e3b4e03082f05aac7767465b862c43b69b18cfe75df3c184c

        SHA512

        010bc79e98cc43aed0d9ac3cb5ca6011bc04cda0f6322faa2dec0c2d5d692ce07985b7806ffcbec8d76de7c90e7b88332d52ab665ea557c506c194bfcb0995ee

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe
        Filesize

        1.9MB

        MD5

        77967721ce1c8b3f0eb800bd33527897

        SHA1

        6cace6db7c38ec0f438b9d7a2a323a90e703a904

        SHA256

        524fdb6f99ba45ba54d3445bffb08d32f63e0642516da16d4b31b8ba22325bd7

        SHA512

        5c0c90952462704c879125ebf9102796608dd7d8722f84183706bcb4748057ed23894e00f1d6b078ab8d8e7089b818cf9fde7090302e83b5d0431418ec833165

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\52jn0jqz\52jn0jqz.0.cs
        Filesize

        369B

        MD5

        34996d419115abcfb45dedb65fc62c33

        SHA1

        76fa4d4e033a1805cf12fb14f9e4afbb507083c1

        SHA256

        8dc95cc6366d1c4e3a34369cb79e36dcda2cf6a31f60e786f404f8d5007f9077

        SHA512

        2d900d8522d50b0dcce2bcff1cfc007b61a7d7ed387fb91f5a3942f4a052b3fc0fd21dc2e4c9533636d97263a9ec32b47906451918d5c18100bc6a49c967f5d2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\52jn0jqz\52jn0jqz.cmdline
        Filesize

        235B

        MD5

        632643372dba326655ad553ae81b803c

        SHA1

        734bc412687b8b04e9b2b6fd7f457e6d979da48b

        SHA256

        9ec60c05aae357b638f7cf194d1e81330e3036b0570dc76be3d3138c4eab8240

        SHA512

        d6b99942b4dd5752b34125f9fe4d848816fde2abaafc60eb5c56f4e3ca3e066b6671fc15669806c67557a0717a4466844aef80a6ebf54b650e09a5fae96601b8

        Download Submit

      • \??\c:\Windows\System32\CSC536C2CC4B6C340AD967C5DCA7F5B9DB9.TMP
        Filesize

        1KB

        MD5

        ad61927912f86c7c9f1e72720f4ef0ef

        SHA1

        dbb61d9d5c7310c85716fe9f445fee2151cef437

        SHA256

        bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

        SHA512

        33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

        Download Submit

      • memory/3932-243-0x000002214F280000-0x000002214F2A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4868-205-0x000000001B820000-0x000000001B870000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4868-212-0x0000000002820000-0x000000000282E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4868-210-0x000000001BDA0000-0x000000001C2C8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4868-209-0x000000001B7D0000-0x000000001B7E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4868-207-0x000000001B290000-0x000000001B2A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4868-214-0x000000001B250000-0x000000001B25C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4868-204-0x000000001B270000-0x000000001B28C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4868-202-0x0000000002810000-0x000000000281E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4868-200-0x0000000000540000-0x0000000000736000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/5036-0-0x00007FFE44115000-0x00007FFE44116000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5036-22-0x00007FFE43E60000-0x00007FFE44801000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5036-2-0x00007FFE43E60000-0x00007FFE44801000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5036-1-0x00007FFE43E60000-0x00007FFE44801000-memory.dmp

        Filesize

        9.6MB

        Download