dcrat | 386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
Size

10.8MB
MD5

55672946ffc3fa0b0c7670bf37d45225
SHA1

669cba1aad9659aeff1a94b584b0e7ad3acb7c79
SHA256

386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55
SHA512

24a9b4461cd2b6942c681a70a9aea88b4715d8f42498ae546453739bae1faab20ce7ec9a248be35141cabc715aaf932a2294bc3fdd228d58fee7fd6e9343e6e7
SSDEEP

49152:Y7dvDhzETOIntW9y3yP2QAuxQzxEzwYjiwVTkO2kZBtk8hsuIm49DWm/S52LKN1o:

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\", \"C:\\Program Files\\Java\\jre-1.8\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\", \"C:\\Program Files\\Java\\jre-1.8\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\", \"C:\\Program Files\\Java\\jre-1.8\\fontdrvhost.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\", \"C:\\Program Files\\Java\\jre-1.8\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	containerwebruntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	4856	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4856	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3832	powershell.exe
1484	powershell.exe
116	powershell.exe
3020	powershell.exe
4424	powershell.exe
2080	powershell.exe
1388	powershell.exe
4280	powershell.exe
1020	powershell.exe
2676	powershell.exe
3392	powershell.exe
3908	powershell.exe
4956	powershell.exe
1256	powershell.exe
512	powershell.exe
2264	powershell.exe
4036	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	containerwebruntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sqls901.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
1520	sqls901.exe
2784	drivEn901.exe
4952	containerwebruntime.exe
6016	csrss.exe

Loads dropped DLL 6 IoCs

pid	Process
2784	drivEn901.exe
2784	drivEn901.exe
2784	drivEn901.exe
2784	drivEn901.exe
2784	drivEn901.exe
2784	drivEn901.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Java\\jre-1.8\\fontdrvhost.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerwebruntime = "\"C:\\Users\\Admin\\AppData\\Roaming\\surrogateDriverintoSessionNet\\containerwebruntime.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\winlogon.exe\""	containerwebruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Java\\jre-1.8\\fontdrvhost.exe\""	containerwebruntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC19213F1C18684C709E3BE03E4B23CFC.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\csrss.exe	containerwebruntime.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\csrss.exe	containerwebruntime.exe
File created	C:\Program Files\Windows Multimedia Platform\886983d96e3d3e	containerwebruntime.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\fontdrvhost.exe	containerwebruntime.exe
File created	C:\Program Files\Java\jre-1.8\fontdrvhost.exe	containerwebruntime.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\cc11b995f2a76d	containerwebruntime.exe
File created	C:\Program Files\Java\jre-1.8\5b884080fd4f94	containerwebruntime.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe	containerwebruntime.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	containerwebruntime.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc	containerwebruntime.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\es-ES\winlogon.exe	containerwebruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivEn901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqls901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5664	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sqls901.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	containerwebruntime.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2116	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5664	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
936	schtasks.exe
1700	schtasks.exe
4564	schtasks.exe
4808	schtasks.exe
2980	schtasks.exe
1960	schtasks.exe
4840	schtasks.exe
2616	schtasks.exe
3996	schtasks.exe
1404	schtasks.exe
4176	schtasks.exe
3744	schtasks.exe
4212	schtasks.exe
3444	schtasks.exe
5032	schtasks.exe
4200	schtasks.exe
4016	schtasks.exe
1408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe
4952	containerwebruntime.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	containerwebruntime.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	6016	csrss.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1520	4840	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	82
PID 4840 wrote to memory of 1520	4840	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	82
PID 4840 wrote to memory of 1520	4840	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	82
PID 4840 wrote to memory of 2784	4840	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	83
PID 4840 wrote to memory of 2784	4840	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	83
PID 4840 wrote to memory of 2784	4840	Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe	83
PID 1520 wrote to memory of 4884	1520	sqls901.exe	84
PID 1520 wrote to memory of 4884	1520	sqls901.exe	84
PID 1520 wrote to memory of 4884	1520	sqls901.exe	84
PID 4884 wrote to memory of 1472	4884	WScript.exe	92
PID 4884 wrote to memory of 1472	4884	WScript.exe	92
PID 4884 wrote to memory of 1472	4884	WScript.exe	92
PID 1472 wrote to memory of 2116	1472	cmd.exe	94
PID 1472 wrote to memory of 2116	1472	cmd.exe	94
PID 1472 wrote to memory of 2116	1472	cmd.exe	94
PID 1472 wrote to memory of 4952	1472	cmd.exe	95
PID 1472 wrote to memory of 4952	1472	cmd.exe	95
PID 4952 wrote to memory of 1732	4952	containerwebruntime.exe	99
PID 4952 wrote to memory of 1732	4952	containerwebruntime.exe	99
PID 1732 wrote to memory of 4180	1732	csc.exe	101
PID 1732 wrote to memory of 4180	1732	csc.exe	101
PID 4952 wrote to memory of 3020	4952	containerwebruntime.exe	117
PID 4952 wrote to memory of 3020	4952	containerwebruntime.exe	117
PID 4952 wrote to memory of 4956	4952	containerwebruntime.exe	118
PID 4952 wrote to memory of 4956	4952	containerwebruntime.exe	118
PID 4952 wrote to memory of 3908	4952	containerwebruntime.exe	119
PID 4952 wrote to memory of 3908	4952	containerwebruntime.exe	119
PID 4952 wrote to memory of 116	4952	containerwebruntime.exe	120
PID 4952 wrote to memory of 116	4952	containerwebruntime.exe	120
PID 4952 wrote to memory of 1484	4952	containerwebruntime.exe	121
PID 4952 wrote to memory of 1484	4952	containerwebruntime.exe	121
PID 4952 wrote to memory of 3392	4952	containerwebruntime.exe	122
PID 4952 wrote to memory of 3392	4952	containerwebruntime.exe	122
PID 4952 wrote to memory of 2676	4952	containerwebruntime.exe	123
PID 4952 wrote to memory of 2676	4952	containerwebruntime.exe	123
PID 4952 wrote to memory of 1256	4952	containerwebruntime.exe	124
PID 4952 wrote to memory of 1256	4952	containerwebruntime.exe	124
PID 4952 wrote to memory of 3832	4952	containerwebruntime.exe	125
PID 4952 wrote to memory of 3832	4952	containerwebruntime.exe	125
PID 4952 wrote to memory of 4280	4952	containerwebruntime.exe	126
PID 4952 wrote to memory of 4280	4952	containerwebruntime.exe	126
PID 4952 wrote to memory of 1388	4952	containerwebruntime.exe	127
PID 4952 wrote to memory of 1388	4952	containerwebruntime.exe	127
PID 4952 wrote to memory of 4036	4952	containerwebruntime.exe	128
PID 4952 wrote to memory of 4036	4952	containerwebruntime.exe	128
PID 4952 wrote to memory of 2264	4952	containerwebruntime.exe	130
PID 4952 wrote to memory of 2264	4952	containerwebruntime.exe	130
PID 4952 wrote to memory of 1020	4952	containerwebruntime.exe	131
PID 4952 wrote to memory of 1020	4952	containerwebruntime.exe	131
PID 4952 wrote to memory of 2080	4952	containerwebruntime.exe	133
PID 4952 wrote to memory of 2080	4952	containerwebruntime.exe	133
PID 4952 wrote to memory of 512	4952	containerwebruntime.exe	134
PID 4952 wrote to memory of 512	4952	containerwebruntime.exe	134
PID 4952 wrote to memory of 4424	4952	containerwebruntime.exe	136
PID 4952 wrote to memory of 4424	4952	containerwebruntime.exe	136
PID 4952 wrote to memory of 380	4952	containerwebruntime.exe	150
PID 4952 wrote to memory of 380	4952	containerwebruntime.exe	150
PID 380 wrote to memory of 5248	380	cmd.exe	153
PID 380 wrote to memory of 5248	380	cmd.exe	153
PID 380 wrote to memory of 5664	380	cmd.exe	154
PID 380 wrote to memory of 5664	380	cmd.exe	154
PID 380 wrote to memory of 6016	380	cmd.exe	157
PID 380 wrote to memory of 6016	380	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe
"C:\Users\Admin\AppData\Local\Temp\Sigmanly_386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\sqls901.exe
  "C:\Users\Admin\AppData\Local\Temp\sqls901.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2116
    - - C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe
        
        "C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet/containerwebruntime.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ps012lo\4ps012lo.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEB3.tmp" "c:\Windows\System32\CSC19213F1C18684C709E3BE03E4B23CFC.TMP"
        7⤵
        
        PID:4180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fOZiQ3BIcM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5664
        
        C:\Program Files\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files\Windows Multimedia Platform\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
- C:\Users\Admin\AppData\Local\Temp\drivEn901.exe
  "C:\Users\Admin\AppData\Local\Temp\drivEn901.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre-1.8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntime" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerwebruntimec" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
610B

MD5
9d48cfa31b3f622352c5e73541730537

SHA1
f11aecd6bbd8f60eecc5ce90c08647a1741acafe

SHA256
10133c12cf807fbf84a6e7cfda6cd0a8e5406a3992e677d2ad3b15715cb18ef5

SHA512
814573fd3f20c09a992918f352cf77b411ed3c7631b926c870a926b96e71b975e1393defcab82b90fb577102f9ad4eefb2f97ab98f78c7046f377218f6a0afa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFEB3.tmp

Filesize
1KB

MD5
37932def108c2600f01902ef7cb3a96b

SHA1
09a532652ba15003feb69d3a3a7d91cfaf2757df

SHA256
23ac39fa9462a26418e1a8e52f19078fd3e7a333df2b461c4bee70e5d8214dc0

SHA512
f93ccd02d6f82b4f90261b351bc7c4d032fb4c3e85f0238bfb1a71c238c1076c6d0c95afbfa501a79026f671082b1c722a9544b5691850f9a3f663b58125459e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_251rl1da.r0r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivEn901.exe

Filesize
1.8MB

MD5
5036e609163e98f3ac06d5e82b677df8

SHA1
176db10a4cda7104f24eece2d87e1a664b7fb929

SHA256
b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

SHA512
40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOZiQ3BIcM.bat

Filesize
182B

MD5
43216364e86e3ebc5aff09039526300b

SHA1
3c56601ab00c1348d774b19c52202e96dfa0f85e

SHA256
41252eee1926e2f440da985e2dc209ec2438846c6a2e5fa687ca8d1b2a0d9315

SHA512
b1566d2ec4e4189abe9e4d5a377fe1833df436ba397d67c089611641b33acee126d978a800b3d93154bfa4357e632fbc27b8d86a89030d299026e1469891608d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52B.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52B.tmp\InstallOptions.ini

Filesize
1KB

MD5
8f15ee2143d1dfe21eaf678dc8b8cbb4

SHA1
83963cb9ccc460a12d78158babf735779a1d4b16

SHA256
bf41f51032de0ec616b60ddea6d8c9c912ee29bd06142dbaf77aee5ec3ef4f8d

SHA512
a6e2a288309f0d37d4563a399b113cd165502ff35d15678cd673a3c6e5b7ed5014e10efbcb936799853245798647053e8ccf3da1e49c32badae3542ac5d118c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52B.tmp\InstallOptions.ini

Filesize
1KB

MD5
e2808f4be298a32ae279ee9ebacd0a0c

SHA1
b7929c346ba7a7aa690a766e4f70bc1d44f75460

SHA256
99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

SHA512
a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52B.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52B.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls901.exe

Filesize
2.2MB

MD5
a79959f25eda4401d0f5e7b370d6c613

SHA1
d2f9766917469c7b14bf3300304f3e305977deec

SHA256
0bc4be6a914008d39b8934bf6032d64f82d839dd42a441a51eabe3d7deaf4a32

SHA512
261945ccac0c43458f6b4530b0ffe72f25bff08b1d7f75d126cbfc05b30172aff097e5a0c216d11f97042c91c8eedc95956ce4e82ffac84646bddd8c7326e0a3

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2PE3PxTrTQg.bat

Filesize
213B

MD5
fe3af328a3c1ad2712245ea437d47613

SHA1
2b79946a9b86296cc85a5b42cd4eb5ec750d0af8

SHA256
23e6b4ab5963d8273c7fc2c2bc8cc00f43b52d394008c48d61b0566a9562d41a

SHA512
b7677891c88966e435f55a15ff83cb6b1cbe5f67b58745f95e2a4814dcf1a2f123395dc9841a24e237cc17e3609836f08e6dfb606c35c47a54d62e38ed2b6b8d

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\2zt0n56bOhbwB2KzszETxYw2RuinHOyyQibCEaRYFawepzaxIU2GKt.vbe

Filesize
226B

MD5
41bb352391fb715e18562592b8a1eaef

SHA1
b836dceab0d0c78ebc4c47894f2fe8d06d4fcf68

SHA256
f72b4ad1bb1a2d8e3b4e03082f05aac7767465b862c43b69b18cfe75df3c184c

SHA512
010bc79e98cc43aed0d9ac3cb5ca6011bc04cda0f6322faa2dec0c2d5d692ce07985b7806ffcbec8d76de7c90e7b88332d52ab665ea557c506c194bfcb0995ee

Download Submit
C:\Users\Admin\AppData\Roaming\surrogateDriverintoSessionNet\containerwebruntime.exe

Filesize
1.9MB

MD5
77967721ce1c8b3f0eb800bd33527897

SHA1
6cace6db7c38ec0f438b9d7a2a323a90e703a904

SHA256
524fdb6f99ba45ba54d3445bffb08d32f63e0642516da16d4b31b8ba22325bd7

SHA512
5c0c90952462704c879125ebf9102796608dd7d8722f84183706bcb4748057ed23894e00f1d6b078ab8d8e7089b818cf9fde7090302e83b5d0431418ec833165

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ps012lo\4ps012lo.0.cs

Filesize
395B

MD5
ac5b5ffb4e24cc7dedaadbb7a38ff78e

SHA1
7cc5960692d7045f66dd30a78bc352c57478f213

SHA256
a9f4a824322a9fe62219d28d15a6be53e4f5a1963177b18d26834c9f27c16a9d

SHA512
37e54e67c862a6d0ffc03fc04bf5cf1b45f6cb78f3b6bc87b573f9efcff7575c3ab8988add1728cccba5f6ea9fc2fd229acdb50ffcc7cfdb202fe19451079ee6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ps012lo\4ps012lo.cmdline

Filesize
235B

MD5
c935d080fdcb3a69f99f2fc1a11d1494

SHA1
e2ae300ffba4c2d7f50fb216d9246f7f009757ce

SHA256
48ed15fc57aa25f5865b1d5c6e676d3c2ee2327572c6aa703b89497f225da94c

SHA512
1ad2655b780a8ee49aa7af50d240c3743b087e59c362b664380c2182f45ad38c587bed80580d03e27186900fe9feba30ded210e0c6109a8a96102acd7f6b85b3

Download Submit
\??\c:\Windows\System32\CSC19213F1C18684C709E3BE03E4B23CFC.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/1388-252-0x0000017598BC0000-0x0000017598BE2000-memory.dmp

Filesize
136KB

Download
memory/4840-1-0x00007FF902610000-0x00007FF902FB1000-memory.dmp

Filesize
9.6MB

Download
memory/4840-3-0x00007FF902610000-0x00007FF902FB1000-memory.dmp

Filesize
9.6MB

Download
memory/4840-21-0x00007FF902610000-0x00007FF902FB1000-memory.dmp

Filesize
9.6MB

Download
memory/4840-0-0x00007FF9028C5000-0x00007FF9028C6000-memory.dmp

Filesize
4KB

Download
memory/4952-214-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/4952-200-0x0000000000D40000-0x0000000000F36000-memory.dmp

Filesize
2.0MB

Download
memory/4952-202-0x0000000001710000-0x000000000171E000-memory.dmp

Filesize
56KB

Download
memory/4952-204-0x000000001BFA0000-0x000000001BFBC000-memory.dmp

Filesize
112KB

Download
memory/4952-205-0x000000001C010000-0x000000001C060000-memory.dmp

Filesize
320KB

Download
memory/4952-212-0x0000000003110000-0x000000000311E000-memory.dmp

Filesize
56KB

Download
memory/4952-210-0x000000001C590000-0x000000001CAB8000-memory.dmp

Filesize
5.2MB

Download
memory/4952-209-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

Filesize
72KB

Download
memory/4952-207-0x000000001BFC0000-0x000000001BFD8000-memory.dmp

Filesize
96KB

Download