dcrat | 386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55

Analysis

max time kernel
121s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
Size

10.8MB
MD5

55672946ffc3fa0b0c7670bf37d45225
SHA1

669cba1aad9659aeff1a94b584b0e7ad3acb7c79
SHA256

386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55
SHA512

24a9b4461cd2b6942c681a70a9aea88b4715d8f42498ae546453739bae1faab20ce7ec9a248be35141cabc715aaf932a2294bc3fdd228d58fee7fd6e9343e6e7
SSDEEP

49152:Y7dvDhzETOIntW9y3yP2QAuxQzxEzwYjiwVTkO2kZBtk8hsuIm49DWm/S52LKN1o:

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Windows\\Migration\\WTR\\containerwebruntime.exe\", \"C:\\Users\\All Users\\winlogon.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Windows\\Migration\\WTR\\containerwebruntime.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Windows\\Migration\\WTR\\containerwebruntime.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Windows\\Migration\\WTR\\containerwebruntime.exe\""	containerwebruntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	776	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	776	schtasks.exe	38

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2748	powershell.exe
2980	powershell.exe
2512	powershell.exe
2996	powershell.exe
2684	powershell.exe
2736	powershell.exe
2024	powershell.exe
2416	powershell.exe
2504	powershell.exe
1612	powershell.exe
2856	powershell.exe
2780	powershell.exe
2436	powershell.exe
340	powershell.exe
2956	powershell.exe
2696	powershell.exe
1308	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
2608	sqls33.exe
2012	drivEn33.exe
1972	containerwebruntime.exe
2600	containerwebruntime.exe

Loads dropped DLL 8 IoCs

pid	Process
2012	drivEn33.exe
2012	drivEn33.exe
2012	drivEn33.exe
2012	drivEn33.exe
2012	drivEn33.exe
2012	drivEn33.exe
2584	cmd.exe
2584	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Windows\\Migration\\WTR\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Windows\\Migration\\WTR\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Downloaded Program Files\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Downloaded Program Files\\csrss.exe\""	containerwebruntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCFD7649C0A000447DA361EF843BC64D9D.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\containerwebruntime.exe	containerwebruntime.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\89a29d32a0dd9b	containerwebruntime.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\csrss.exe	containerwebruntime.exe
File opened for modification	C:\Windows\Downloaded Program Files\csrss.exe	containerwebruntime.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	containerwebruntime.exe
File created	C:\Windows\Migration\WTR\containerwebruntime.exe	containerwebruntime.exe
File created	C:\Windows\Migration\WTR\89a29d32a0dd9b	containerwebruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivEn33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqls33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1648	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
288	schtasks.exe
2400	schtasks.exe
2952	schtasks.exe
2928	schtasks.exe
2552	schtasks.exe
2948	schtasks.exe
2464	schtasks.exe
1420	schtasks.exe
2180	schtasks.exe
2704	schtasks.exe
2680	schtasks.exe
2772	schtasks.exe
2392	schtasks.exe
2160	schtasks.exe
2592	schtasks.exe
1544	schtasks.exe
1540	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe
1972	containerwebruntime.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	drivEn33.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	containerwebruntime.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2600	containerwebruntime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2608	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	30
PID 2592 wrote to memory of 2608	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	30
PID 2592 wrote to memory of 2608	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	30
PID 2592 wrote to memory of 2608	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	30
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2592 wrote to memory of 2012	2592	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	31
PID 2608 wrote to memory of 2864	2608	sqls33.exe	32
PID 2608 wrote to memory of 2864	2608	sqls33.exe	32
PID 2608 wrote to memory of 2864	2608	sqls33.exe	32
PID 2608 wrote to memory of 2864	2608	sqls33.exe	32
PID 2864 wrote to memory of 2584	2864	WScript.exe	34
PID 2864 wrote to memory of 2584	2864	WScript.exe	34
PID 2864 wrote to memory of 2584	2864	WScript.exe	34
PID 2864 wrote to memory of 2584	2864	WScript.exe	34
PID 2584 wrote to memory of 1648	2584	cmd.exe	36
PID 2584 wrote to memory of 1648	2584	cmd.exe	36
PID 2584 wrote to memory of 1648	2584	cmd.exe	36
PID 2584 wrote to memory of 1648	2584	cmd.exe	36
PID 2584 wrote to memory of 1972	2584	cmd.exe	37
PID 2584 wrote to memory of 1972	2584	cmd.exe	37
PID 2584 wrote to memory of 1972	2584	cmd.exe	37
PID 2584 wrote to memory of 1972	2584	cmd.exe	37
PID 1972 wrote to memory of 2376	1972	containerwebruntime.exe	42
PID 1972 wrote to memory of 2376	1972	containerwebruntime.exe	42
PID 1972 wrote to memory of 2376	1972	containerwebruntime.exe	42
PID 2376 wrote to memory of 884	2376	csc.exe	44
PID 2376 wrote to memory of 884	2376	csc.exe	44
PID 2376 wrote to memory of 884	2376	csc.exe	44
PID 1972 wrote to memory of 2684	1972	containerwebruntime.exe	60
PID 1972 wrote to memory of 2684	1972	containerwebruntime.exe	60
PID 1972 wrote to memory of 2684	1972	containerwebruntime.exe	60
PID 1972 wrote to memory of 2700	1972	containerwebruntime.exe	61
PID 1972 wrote to memory of 2700	1972	containerwebruntime.exe	61
PID 1972 wrote to memory of 2700	1972	containerwebruntime.exe	61
PID 1972 wrote to memory of 2856	1972	containerwebruntime.exe	62
PID 1972 wrote to memory of 2856	1972	containerwebruntime.exe	62
PID 1972 wrote to memory of 2856	1972	containerwebruntime.exe	62
PID 1972 wrote to memory of 2780	1972	containerwebruntime.exe	63
PID 1972 wrote to memory of 2780	1972	containerwebruntime.exe	63
PID 1972 wrote to memory of 2780	1972	containerwebruntime.exe	63
PID 1972 wrote to memory of 2696	1972	containerwebruntime.exe	64
PID 1972 wrote to memory of 2696	1972	containerwebruntime.exe	64
PID 1972 wrote to memory of 2696	1972	containerwebruntime.exe	64
PID 1972 wrote to memory of 2748	1972	containerwebruntime.exe	65
PID 1972 wrote to memory of 2748	1972	containerwebruntime.exe	65
PID 1972 wrote to memory of 2748	1972	containerwebruntime.exe	65
PID 1972 wrote to memory of 2736	1972	containerwebruntime.exe	66
PID 1972 wrote to memory of 2736	1972	containerwebruntime.exe	66
PID 1972 wrote to memory of 2736	1972	containerwebruntime.exe	66
PID 1972 wrote to memory of 2024	1972	containerwebruntime.exe	67
PID 1972 wrote to memory of 2024	1972	containerwebruntime.exe	67
PID 1972 wrote to memory of 2024	1972	containerwebruntime.exe	67
PID 1972 wrote to memory of 2504	1972	containerwebruntime.exe	68
PID 1972 wrote to memory of 2504	1972	containerwebruntime.exe	68
PID 1972 wrote to memory of 2504	1972	containerwebruntime.exe	68
PID 1972 wrote to memory of 2512	1972	containerwebruntime.exe	69
PID 1972 wrote to memory of 2512	1972	containerwebruntime.exe	69
PID 1972 wrote to memory of 2512	1972	containerwebruntime.exe	69
PID 1972 wrote to memory of 2436	1972	containerwebruntime.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
"C:\Users\Admin\AppData\Local\Temp\Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\sqls33.exe
  "C:\Users\Admin\AppData\Local\Temp\sqls33.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1648
    - - C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe
        
        "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet/containerwebruntime.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jcehdflh\jcehdflh.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1046.tmp" "c:\Windows\System32\CSCFD7649C0A000447DA361EF843BC64D9D.TMP"
        7⤵
        
        PID:884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\containerwebruntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\containerwebruntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e4aLNZZ626.bat"
        6⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2160
        
        C:\Windows\Migration\WTR\containerwebruntime.exe
        
        "C:\Windows\Migration\WTR\containerwebruntime.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
- C:\Users\Admin\AppData\Local\Temp\drivEn33.exe
  "C:\Users\Admin\AppData\Local\Temp\drivEn33.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\containerwebruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntime" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\containerwebruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntime" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntime" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1046.tmp

Filesize
1KB

MD5
b37f728a5992142a1b822f224565ce18

SHA1
a067d446b7a04b684cc1e834f4c64fee914d4725

SHA256
d86e315591b27217896f6e6e876b967ccf5dc14a6fb0870c533a852608ae7546

SHA512
7194e4a420d28b04a6a5a90717936719dee892f84b0d8f7ac4d68a9938e6104615aea10c2f237e95c7f085c906cf87e7f1a4635a4fc783c10f941365ddd7c735

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivEn33.exe

Filesize
1.8MB

MD5
5036e609163e98f3ac06d5e82b677df8

SHA1
176db10a4cda7104f24eece2d87e1a664b7fb929

SHA256
b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

SHA512
40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4aLNZZ626.bat

Filesize
224B

MD5
0df2c3213c5c803f25cddb1916c3dd45

SHA1
3fd6eb0eaa98a3ec856d600c80352447042363db

SHA256
430b37db780999898349f15ee8ca74774feec685a85e3238be054155e87d4ac6

SHA512
7e28b4045206b808b71fe2ec6b7cbaf42002e5450f15af3cf5a92910c517919e5a85a714a8b7ed2e1927bb398bc199f8dba4eb8091acd69a5aed51dc5313a745

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB5F9.tmp\InstallOptions.ini

Filesize
1KB

MD5
55d6eae52a7fd7f62aef242cb057b940

SHA1
89845ec6d8ccbbe3cb47633efba7b711572b9e0e

SHA256
c95933f87f7fe1552fef218ac2ba09bc79dfef2c67853ddcf0a496b3717050b2

SHA512
b67cca68d69930a54b837ceb86fff5210e01e8962c15cbe723dd804154bd30096b813edeb5a4e275fb9cdd9ca346041613bb0fd5bf6aaee9630539cf934685e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls33.exe

Filesize
2.2MB

MD5
a79959f25eda4401d0f5e7b370d6c613

SHA1
d2f9766917469c7b14bf3300304f3e305977deec

SHA256
0bc4be6a914008d39b8934bf6032d64f82d839dd42a441a51eabe3d7deaf4a32

SHA512
261945ccac0c43458f6b4530b0ffe72f25bff08b1d7f75d126cbfc05b30172aff097e5a0c216d11f97042c91c8eedc95956ce4e82ffac84646bddd8c7326e0a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fd9693af48e477c8d0d8a0b52d7632bd

SHA1
198ef467708950a487c023fc92a76a750c61666e

SHA256
11dbae1e7df27895fb412dad92efc2432b4b6a5eb983220551304ba0d52a3ab9

SHA512
4c816542d20fc1b49bddce086fdf2f7d00d703721d2f1bcbf5bc0656159be45e6bc5adc70c8e3613b72bdc7587da3f9b520060bce312f00ebc56f809ea3eaa15

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat

Filesize
213B

MD5
fe3af328a3c1ad2712245ea437d47613

SHA1
2b79946a9b86296cc85a5b42cd4eb5ec750d0af8

SHA256
23e6b4ab5963d8273c7fc2c2bc8cc00f43b52d394008c48d61b0566a9562d41a

SHA512
b7677891c88966e435f55a15ff83cb6b1cbe5f67b58745f95e2a4814dcf1a2f123395dc9841a24e237cc17e3609836f08e6dfb606c35c47a54d62e38ed2b6b8d

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe

Filesize
226B

MD5
41bb352391fb715e18562592b8a1eaef

SHA1
b836dceab0d0c78ebc4c47894f2fe8d06d4fcf68

SHA256
f72b4ad1bb1a2d8e3b4e03082f05aac7767465b862c43b69b18cfe75df3c184c

SHA512
010bc79e98cc43aed0d9ac3cb5ca6011bc04cda0f6322faa2dec0c2d5d692ce07985b7806ffcbec8d76de7c90e7b88332d52ab665ea557c506c194bfcb0995ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jcehdflh\jcehdflh.0.cs

Filesize
421B

MD5
01e3220ccca3d8568f7b7ad5b51dfc75

SHA1
5515c7b4abedc1a46cb6ecb4813fab5f73fa3655

SHA256
81eb2064636e3492c436c0159d985def8cb358c1744fa57683fa782bc8105ab9

SHA512
51ee36929cb58159f3dc64b1c18b1a61f18793593e93e621bce28ff7f059b5a65c63ba3ec7530a4fcd5c2d569700c191fc928e7200514bb01ad7b07266275c73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jcehdflh\jcehdflh.cmdline

Filesize
235B

MD5
23b3c191a66ff21ee418e86127c8da10

SHA1
d068b07cdb5a94b8e40f267c02c81074bc43943b

SHA256
b8d32aa26c3ab886509602123fe11be98cf98da4c4b89cf82aaffe01a0769779

SHA512
0a1c62c1882c2173f7b4d5c2153953112faa3fbd3bdbb5a73c948cbb558841ffc80a1152abdfbdc82f07197c96fc5a8944926bd58273006eb519df3cb2ed4a08

Download Submit
\??\c:\Windows\System32\CSCFD7649C0A000447DA361EF843BC64D9D.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB5F9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB5F9.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB5F9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe

Filesize
1.9MB

MD5
77967721ce1c8b3f0eb800bd33527897

SHA1
6cace6db7c38ec0f438b9d7a2a323a90e703a904

SHA256
524fdb6f99ba45ba54d3445bffb08d32f63e0642516da16d4b31b8ba22325bd7

SHA512
5c0c90952462704c879125ebf9102796608dd7d8722f84183706bcb4748057ed23894e00f1d6b078ab8d8e7089b818cf9fde7090302e83b5d0431418ec833165

Download Submit
memory/1972-207-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1972-205-0x0000000000680000-0x0000000000698000-memory.dmp

Filesize
96KB

Download
memory/1972-199-0x00000000002E0000-0x00000000004D6000-memory.dmp

Filesize
2.0MB

Download
memory/1972-209-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1972-211-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1972-203-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/1972-201-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2592-0-0x000007FEF56FE000-0x000007FEF56FF000-memory.dmp

Filesize
4KB

Download
memory/2592-13-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-4-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-3-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2600-333-0x0000000000B80000-0x0000000000D76000-memory.dmp

Filesize
2.0MB

Download
memory/2780-276-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2780-261-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download