Overview

overview

10

Static

static

10

TestRat.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-01-2025 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TestRat.exe

  • Size

    53KB

  • MD5

    375567221b3e6b66d19d983694ab851d

  • SHA1

    6d1c3453a8ada22ca820b9f9b55b15bc69fcaf6c

  • SHA256

    978905af4ce6c1c0dafd6a96f8fb9c326dbd0374a4c255b23884f567201c8f93

  • SHA512

    7801a7e0ff9af9c4caad445c0cbf8d653e3dd7731cf304b0d3586f6f889ae8238b5e3fa812b94f3704f2f64858f1c12c3c6f3e44e825cd3165fee0d1e626fc19

  • SSDEEP

    1536:h5fvGNjuMDy01hx5kb2cQZBBt/PQXffOnprs:hpausy01h7kb2cWvqffOnpA

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

post-cardiff.gl.at.ply.gg:58548

Attributes
  • install_file

    USB.exe

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TestRat.exe
    "C:\Users\Admin\AppData\Local\Temp\TestRat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Users\Admin\AppData\Local\Temp\VVZ8IRUO7Z920V5.exe
      "C:\Users\Admin\AppData\Local\Temp\VVZ8IRUO7Z920V5.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "VVZ8IRUO7Z920V5" /tr "C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4984
    • C:\Users\Admin\AppData\Local\Temp\7I2IWBK2JZBFN44.exe
      "C:\Users\Admin\AppData\Local\Temp\7I2IWBK2JZBFN44.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xege0nrq\xege0nrq.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2564
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5975.tmp" "c:\Users\Admin\AppData\Roaming\CSC6DE7F3569D5F42FFA4DDEEB66DD3CBF.TMP"
                7⤵
                  PID:3912
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2hx4dxap\2hx4dxap.cmdline"
                6⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:3224
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E3.tmp" "c:\Windows\System32\CSCD6516589990F4556B2FF5B398A49AF67.TMP"
                  7⤵
                    PID:2960
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1984
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4428
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\conhost.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\WmiPrvSE.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4212
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4124
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2768
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FiZ42LWNeO.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4500
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:4736
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:2952
                      • C:\Recovery\WindowsRE\services.exe
                        "C:\Recovery\WindowsRE\services.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2912
          • C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe
            "C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2276
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3880
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3012
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\WmiPrvSE.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4412
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1568
          • C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe
            "C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4712
            • C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe.exe
              "C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:2132
            • C:\Recovery\WindowsRE\services.exe
              "C:\Recovery\WindowsRE\services.exe"
              2⤵
              • Executes dropped EXE
              PID:3120

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VVZ8IRUO7Z920V5.exe.log
            Filesize

            654B

            MD5

            11c6e74f0561678d2cf7fc075a6cc00c

            SHA1

            535ee79ba978554abcb98c566235805e7ea18490

            SHA256

            d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

            SHA512

            32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            3eb3833f769dd890afc295b977eab4b4

            SHA1

            e857649b037939602c72ad003e5d3698695f436f

            SHA256

            c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

            SHA512

            c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            f0f59cccd39a3694e0e6dfd44d0fa76d

            SHA1

            fccd7911d463041e1168431df8823e4c4ea387c1

            SHA256

            70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

            SHA512

            5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            d6d1b8bb34838ccf42d5f69e919b1612

            SHA1

            20e9df1f5dd5908ce1b537d158961e0b1674949e

            SHA256

            8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

            SHA512

            ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7I2IWBK2JZBFN44.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FiZ42LWNeO.bat
            Filesize

            210B

            MD5

            ee967685d773da3112cd986cb03b40d8

            SHA1

            968a4811fb8e839235d544ccdc475c4821969d1f

            SHA256

            36cfbe42a0239bbcb4adb3cf4d0195d752f8dff8f41f1368c0c3bcdb727a229d

            SHA512

            48e4fbd12e295173ded4a0efeded366069fcc1048f3c501837e38ba010d87128ec52c0977e2e0d8737d963ff1a58e923b93efffa76b256be04b4eb26c2e7ec2d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES5975.tmp
            Filesize

            1KB

            MD5

            559e61b778fc06a1732f2844ada3c129

            SHA1

            82e3d3525badf211d1be939a5869a277f3c213f3

            SHA256

            94d6379956796309fbfe1d0983e653318af6f6496bca718d167f7e458a361c1f

            SHA512

            0ab181e78d210bde6b81dd85226da8c2ea752fa95ebd6f86d5675a1634c6e7df0957bd92538d05ca47c1aba236ad4a93852407a733d4ae2fa0a6347cd31dfd7c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES59E3.tmp
            Filesize

            1KB

            MD5

            217b674fb4a35fab9749d2e4caef676d

            SHA1

            4b855df53e3d7c25cfbdf6259380b1b506e87670

            SHA256

            559bc1dc65e5008a06225de772c47721b18f6b24d275606f61f3f374dcb5aae9

            SHA512

            d8e107f023ebccc8bcd53cea1521c5bd0293541552ea858b52708dc82178b87085eef1c7aa1f7b2a423d8e53cd10aa0275b2a41d55c150766ae3065f3b4cd404

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\VVZ8IRUO7Z920V5.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urwmiles.m15.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\VVZ8IRUO7Z920V5.exe
            Filesize

            4KB

            MD5

            447f29b4826f7e13b7ee055dae0a26ea

            SHA1

            976632e085328d6d859c0266585bfd4c12229a10

            SHA256

            9cfa0fa883f8588839defea95afd449c5e0af655d5511108c21881550a092d37

            SHA512

            b65d8c88ac51b1881e3fc91664f2aed2cb92a48e8f3954a5c0eae4e3d8ee1904dc30e9305bf88be69074027472ce9cc217bd74bc5635bfd90d38e1d6db81edb1

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\2hx4dxap\2hx4dxap.0.cs
            Filesize

            366B

            MD5

            9ea36944c7825f39d5395b24f572bd9e

            SHA1

            892b8891d8d7242fbc4ab473ef7b4f3174dcb1d6

            SHA256

            a9907cffe9091fcdeb0664929921cb00eb747dcfb1a0a623517654367e26b980

            SHA512

            131323f11c3439bf895bda8bfafb86602583cf602e96398d1dfe7c2af43ba082bfb3df910586495a67e77dfc9aa8745f7f9c8c886c27b8c2fe4ef419b503db0d

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\2hx4dxap\2hx4dxap.cmdline
            Filesize

            235B

            MD5

            d635b0c61a4845d7e3d237c8a10fe064

            SHA1

            343289f5cefe5083a81ceaf3c0b74537b7009b96

            SHA256

            369787d08c53cb3a5b063d042fc23e3bedb9eb78850a8eae7beca378680640d0

            SHA512

            e279c69ea1f8eb5d45d9b9901dad8529695c559f0030bb8bbd864c0133ccd7fc594e5d67903b49d221895c159f30851e583fbbdef53f1a420c17bc2c1dfa9375

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\xege0nrq\xege0nrq.0.cs
            Filesize

            386B

            MD5

            dacf1638806be9105082ace49726b633

            SHA1

            fd4c625df96edc9de7fb13bcae48991ec5c9c2a6

            SHA256

            72c0499d95278dbf7045984d7c288a7db0c31b52585b74713166d5b91fe68166

            SHA512

            43208719aca77ef272e1ada70f33f3e887202912dd81db005f961a6dba3380b7248154e1d08dc48a1d5ecbe25df63abd019e406767f238ef23df42666f8ebb32

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\xege0nrq\xege0nrq.cmdline
            Filesize

            255B

            MD5

            e1cc78bbd8ba3e8a7a73d1016b23350a

            SHA1

            7a08ab5010fb6dc04a46a474701190056bccf99d

            SHA256

            89a7f8a1bc2eda272b1553d9f9eaefb65ed502a53a0bc9df37fd1b87f08bb474

            SHA512

            0b5144108a38db908b8592f229de7f77849e58703d4e861464f4ca40f35b4a6852bd9ef060a28ea43213e2eb59dcfe1af120e80f981a6f18d61e7b22ea79aaed

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC6DE7F3569D5F42FFA4DDEEB66DD3CBF.TMP
            Filesize

            1KB

            MD5

            e79f061d2b4bc6446c1f39d5738a6380

            SHA1

            551e4bbfd40d8fe50f1fe85794e2b8aea38603a8

            SHA256

            3f609abf795105f0a8a822ce28f925cb5ba944146ba56221f7d07a2f7f0f48f7

            SHA512

            c841fc7eb927063d1dbab835f2cd03c79d57bfbb749c00c2b0ae725837f5ef9c9e69323184a8c465ee935d5d5e9b13599f6166735fd4b2b81760999a426b6072

            Download Submit

          • \??\c:\Windows\System32\CSCD6516589990F4556B2FF5B398A49AF67.TMP
            Filesize

            1KB

            MD5

            468e500195e1e951129d7c74960130bc

            SHA1

            053b93fddacd0bcc5ce8f3c7e2ed329cbfb8af92

            SHA256

            4f9ead273969447edda11717b587765942620c2076f3744ae05eb3e4005a73ea

            SHA512

            60e3fddf6891dccd17fe798dabe42da9bf0a239f5e0d97ae8952ae81ae17e4e18e53a9f08fa4a299d4b52f75a0b8babb18c5b4f4cdfda50471d77b77982d225a

            Download Submit

          • memory/724-21-0x00007FFE06BC0000-0x00007FFE07682000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/724-20-0x0000000000FB0000-0x0000000000FE4000-memory.dmp

            Filesize

            208KB

            Download

          • memory/724-32-0x00007FFE06BC0000-0x00007FFE07682000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/724-31-0x00007FFE06BC0000-0x00007FFE07682000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/724-30-0x00007FFE06BC0000-0x00007FFE07682000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2912-189-0x000000001F100000-0x000000001F14E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/2992-73-0x000000001B3B0000-0x000000001B3BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2992-62-0x00000000005C0000-0x00000000007A6000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2992-71-0x000000001B3A0000-0x000000001B3AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2992-69-0x000000001B3E0000-0x000000001B3F8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2992-67-0x000000001B890000-0x000000001B8E0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2992-66-0x000000001B3C0000-0x000000001B3DC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2992-64-0x000000001B390000-0x000000001B39E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2992-149-0x000000001C120000-0x000000001C16E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/3468-0-0x00007FFE06BC3000-0x00007FFE06BC5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3468-5-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3468-4-0x00007FFE06BC0000-0x00007FFE07682000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3468-182-0x000000001B450000-0x000000001B458000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3468-3-0x00007FFE06BC3000-0x00007FFE06BC5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3468-191-0x0000000000970000-0x000000000097A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3468-2-0x00007FFE06BC0000-0x00007FFE07682000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3468-1-0x00000000000F0000-0x0000000000104000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3468-206-0x0000000000980000-0x000000000098A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4212-120-0x000002569F490000-0x000002569F4B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4712-200-0x0000000000060000-0x0000000000068000-memory.dmp

            Filesize

            32KB

            Download