dcrat | f4e113eaba1238c566ce7eb0a0d8cc1a579d0044533a949098fc332dd25d2146

Analysis

max time kernel
900s
max time network
901s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blue.cc/Blue cc/blue.cc.exe
Size

5.7MB
MD5

f3edbc69d3579a04978e4a90825b2c86
SHA1

0a4c0b114f28c63c021756d7d9009652712566e8
SHA256

8afbd41db0f57e93abe9c3337571e9775eb15b96835252e3cfcdffe01d6fe0e4
SHA512

4829622b1fe7fe86ef9dc9a793bb805664717dd32fab380678e0aa2cbc2d6e14ef1e4d8da86d1a99cf0e607c50dd9bbb8227eecef06e731a7596d1e8703db639
SSDEEP

98304:YPzPxjBNchBLJX4jTq+Q0SBPOOx7G1NcL+X1pYjJT1xMetHxPP+NlU7qG7BnjuA7:YPdBNcRX9FBm4SciDY91KetRHIM9QRPY

Score

10^/10

dcrat xmrig discovery evasion execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/3908-326-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-331-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-332-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-329-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-328-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-330-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-325-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-348-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3908-350-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1132	powershell.exe
1248	powershell.exe
4260	powershell.exe
2824	powershell.exe
4348	powershell.exe
4672	powershell.exe
864	powershell.exe
1264	powershell.exe
2152	powershell.exe
5060	powershell.exe
2096	powershell.exe
2664	powershell.exe
3792	powershell.exe
1060	powershell.exe
3816	powershell.exe
2192	powershell.exe
4508	powershell.exe
5788	powershell.exe
4956	powershell.exe
5088	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	blue.cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	portRuntimedll.exe

Executes dropped EXE 5 IoCs

pid	Process
1276	Cheat.exe
4464	Loader.exe
4828	portRuntimedll.exe
5756	portRuntimedll.exe
1972	sjtrewuvofcs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6016	powercfg.exe
6008	powercfg.exe
6000	powercfg.exe
5992	powercfg.exe
4072	powercfg.exe
4264	powercfg.exe
2792	powercfg.exe
2356	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Loader.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	sjtrewuvofcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 5528	1972	sjtrewuvofcs.exe	159
PID 1972 set thread context of 3908	1972	sjtrewuvofcs.exe	165

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3908-321-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-324-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-326-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-331-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-332-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-329-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-330-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-325-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-323-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-320-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-322-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-348-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3908-350-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\088424020bedd6	portRuntimedll.exe
File created	C:\Program Files (x86)\Reference Assemblies\StartMenuExperienceHost.exe	portRuntimedll.exe
File created	C:\Program Files (x86)\Reference Assemblies\55b276f4edf653	portRuntimedll.exe
File created	C:\Program Files\Windows Sidebar\conhost.exe	portRuntimedll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Theme1\StartMenuExperienceHost.exe	portRuntimedll.exe
File created	C:\Windows\Web\Wallpaper\Theme1\55b276f4edf653	portRuntimedll.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6024	sc.exe
4828	sc.exe
416	sc.exe
4292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	Cheat.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	portRuntimedll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe
4828	portRuntimedll.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5756	portRuntimedll.exe
3628	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	portRuntimedll.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeIncreaseQuotaPrivilege	4956	powershell.exe
Token: SeSecurityPrivilege	4956	powershell.exe
Token: SeTakeOwnershipPrivilege	4956	powershell.exe
Token: SeLoadDriverPrivilege	4956	powershell.exe
Token: SeSystemProfilePrivilege	4956	powershell.exe
Token: SeSystemtimePrivilege	4956	powershell.exe
Token: SeProfSingleProcessPrivilege	4956	powershell.exe
Token: SeIncBasePriorityPrivilege	4956	powershell.exe
Token: SeCreatePagefilePrivilege	4956	powershell.exe
Token: SeBackupPrivilege	4956	powershell.exe
Token: SeRestorePrivilege	4956	powershell.exe
Token: SeShutdownPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeSystemEnvironmentPrivilege	4956	powershell.exe
Token: SeRemoteShutdownPrivilege	4956	powershell.exe
Token: SeUndockPrivilege	4956	powershell.exe
Token: SeManageVolumePrivilege	4956	powershell.exe
Token: 33	4956	powershell.exe
Token: 34	4956	powershell.exe
Token: 35	4956	powershell.exe
Token: 36	4956	powershell.exe
Token: SeIncreaseQuotaPrivilege	1248	powershell.exe
Token: SeSecurityPrivilege	1248	powershell.exe
Token: SeTakeOwnershipPrivilege	1248	powershell.exe
Token: SeLoadDriverPrivilege	1248	powershell.exe
Token: SeSystemProfilePrivilege	1248	powershell.exe
Token: SeSystemtimePrivilege	1248	powershell.exe
Token: SeProfSingleProcessPrivilege	1248	powershell.exe
Token: SeIncBasePriorityPrivilege	1248	powershell.exe
Token: SeCreatePagefilePrivilege	1248	powershell.exe
Token: SeBackupPrivilege	1248	powershell.exe
Token: SeRestorePrivilege	1248	powershell.exe
Token: SeShutdownPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeSystemEnvironmentPrivilege	1248	powershell.exe
Token: SeRemoteShutdownPrivilege	1248	powershell.exe
Token: SeUndockPrivilege	1248	powershell.exe
Token: SeManageVolumePrivilege	1248	powershell.exe
Token: 33	1248	powershell.exe
Token: 34	1248	powershell.exe
Token: 35	1248	powershell.exe
Token: 36	1248	powershell.exe
Token: SeIncreaseQuotaPrivilege	1060	powershell.exe
Token: SeSecurityPrivilege	1060	powershell.exe
Token: SeTakeOwnershipPrivilege	1060	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1276	1288	blue.cc.exe	81
PID 1288 wrote to memory of 1276	1288	blue.cc.exe	81
PID 1288 wrote to memory of 1276	1288	blue.cc.exe	81
PID 1288 wrote to memory of 4464	1288	blue.cc.exe	82
PID 1288 wrote to memory of 4464	1288	blue.cc.exe	82
PID 1276 wrote to memory of 1216	1276	Cheat.exe	83
PID 1276 wrote to memory of 1216	1276	Cheat.exe	83
PID 1276 wrote to memory of 1216	1276	Cheat.exe	83
PID 1216 wrote to memory of 4512	1216	WScript.exe	84
PID 1216 wrote to memory of 4512	1216	WScript.exe	84
PID 1216 wrote to memory of 4512	1216	WScript.exe	84
PID 4512 wrote to memory of 4828	4512	cmd.exe	86
PID 4512 wrote to memory of 4828	4512	cmd.exe	86
PID 4828 wrote to memory of 1060	4828	portRuntimedll.exe	87
PID 4828 wrote to memory of 1060	4828	portRuntimedll.exe	87
PID 4828 wrote to memory of 1248	4828	portRuntimedll.exe	88
PID 4828 wrote to memory of 1248	4828	portRuntimedll.exe	88
PID 4828 wrote to memory of 4260	4828	portRuntimedll.exe	89
PID 4828 wrote to memory of 4260	4828	portRuntimedll.exe	89
PID 4828 wrote to memory of 4672	4828	portRuntimedll.exe	90
PID 4828 wrote to memory of 4672	4828	portRuntimedll.exe	90
PID 4828 wrote to memory of 4956	4828	portRuntimedll.exe	91
PID 4828 wrote to memory of 4956	4828	portRuntimedll.exe	91
PID 4828 wrote to memory of 2824	4828	portRuntimedll.exe	92
PID 4828 wrote to memory of 2824	4828	portRuntimedll.exe	92
PID 4828 wrote to memory of 2192	4828	portRuntimedll.exe	93
PID 4828 wrote to memory of 2192	4828	portRuntimedll.exe	93
PID 4828 wrote to memory of 3792	4828	portRuntimedll.exe	94
PID 4828 wrote to memory of 3792	4828	portRuntimedll.exe	94
PID 4828 wrote to memory of 2664	4828	portRuntimedll.exe	95
PID 4828 wrote to memory of 2664	4828	portRuntimedll.exe	95
PID 4828 wrote to memory of 1132	4828	portRuntimedll.exe	96
PID 4828 wrote to memory of 1132	4828	portRuntimedll.exe	96
PID 4828 wrote to memory of 2096	4828	portRuntimedll.exe	97
PID 4828 wrote to memory of 2096	4828	portRuntimedll.exe	97
PID 4828 wrote to memory of 864	4828	portRuntimedll.exe	98
PID 4828 wrote to memory of 864	4828	portRuntimedll.exe	98
PID 4828 wrote to memory of 4508	4828	portRuntimedll.exe	100
PID 4828 wrote to memory of 4508	4828	portRuntimedll.exe	100
PID 4828 wrote to memory of 5060	4828	portRuntimedll.exe	102
PID 4828 wrote to memory of 5060	4828	portRuntimedll.exe	102
PID 4828 wrote to memory of 2152	4828	portRuntimedll.exe	103
PID 4828 wrote to memory of 2152	4828	portRuntimedll.exe	103
PID 4828 wrote to memory of 1264	4828	portRuntimedll.exe	105
PID 4828 wrote to memory of 1264	4828	portRuntimedll.exe	105
PID 4828 wrote to memory of 3816	4828	portRuntimedll.exe	106
PID 4828 wrote to memory of 3816	4828	portRuntimedll.exe	106
PID 4828 wrote to memory of 5088	4828	portRuntimedll.exe	108
PID 4828 wrote to memory of 5088	4828	portRuntimedll.exe	108
PID 4828 wrote to memory of 2548	4828	portRuntimedll.exe	123
PID 4828 wrote to memory of 2548	4828	portRuntimedll.exe	123
PID 2548 wrote to memory of 4680	2548	cmd.exe	125
PID 2548 wrote to memory of 4680	2548	cmd.exe	125
PID 2548 wrote to memory of 5260	2548	cmd.exe	127
PID 2548 wrote to memory of 5260	2548	cmd.exe	127
PID 2548 wrote to memory of 5756	2548	cmd.exe	128
PID 2548 wrote to memory of 5756	2548	cmd.exe	128
PID 5984 wrote to memory of 4872	5984	cmd.exe	146
PID 5984 wrote to memory of 4872	5984	cmd.exe	146
PID 1972 wrote to memory of 5528	1972	sjtrewuvofcs.exe	159
PID 1972 wrote to memory of 5528	1972	sjtrewuvofcs.exe	159
PID 1972 wrote to memory of 5528	1972	sjtrewuvofcs.exe	159
PID 1972 wrote to memory of 5528	1972	sjtrewuvofcs.exe	159
PID 1972 wrote to memory of 5528	1972	sjtrewuvofcs.exe	159

C:\Users\Admin\AppData\Local\Temp\Blue.cc\Blue cc\blue.cc.exe
"C:\Users\Admin\AppData\Local\Temp\Blue.cc\Blue cc\blue.cc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\surrogatewebDriverPerfdll\sBHMgLRm.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\surrogatewebDriverPerfdll\portRuntimedll.exe
        
        "C:\surrogatewebDriverPerfdll/portRuntimedll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/surrogatewebDriverPerfdll/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\surrogatewebDriverPerfdll\backgroundTaskHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Theme1\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Music\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\surrogatewebDriverPerfdll\portRuntimedll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pKhsPDNgZ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5260
        
        C:\surrogatewebDriverPerfdll\portRuntimedll.exe
        
        "C:\surrogatewebDriverPerfdll\portRuntimedll.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5756
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4464
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5984
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4872
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5992
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:6000
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:6008
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:6016
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:6024
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "BSJXEIWT" binpath= "C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4828
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4292
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:416

C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4580
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2264
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4072
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2356
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4264
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5528
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3908

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portRuntimedll.exe.log

Filesize
1KB

MD5
1eb759ec8a0d982d63773eb343e2a833

SHA1
bd449e841a449dcbdc03fb8b06891ed8a57afa4e

SHA256
496b42cced0d481317c95e60846b3995e6319b209dc72412a20a4824e1448f80

SHA512
91d887b28ce755373890cde130b8dd27ad347b9f192a76b283db24205b2804627118c1f68807f0abd112fbda007bc68ecc8a59bf07598884846baf6917837371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bd23aab2f3dde6d419bc23912cedd13

SHA1
10dc192ce97798bafb97afc025fc48c87bbae61e

SHA256
f4ef5307e90a68fc6882f59f6005d8459688d1000e58594d11f576e923a0c99b

SHA512
ab80c811f3f7e8bb620732c4315eb2a42b2239fddd5ec0eafa46b005760faa3c9c0301d91330cffd8e79c49c0d3d847ce8afbafe1889f3f1822313015c8c5ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5bf6b0261deb53c0e3d422e3f83a664

SHA1
60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

SHA256
a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

SHA512
27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4999b1e4878c52dc8e6ac4969b9d3da2

SHA1
7799d83e2a7f4a6c4e1a3671e8bfc4568375a191

SHA256
662c1692bb2e4d9dc83bd161c7dbec5caa096f250787c10f26347c3ae3bd6cd8

SHA512
4ae3c5b4455fb7046cdb575530d994567c94be122888ac4c65f3ee3180a781653013e2cc4ec05e84b2a385321f8a43bf7ff9b2d97b3c4c0b480faeb01d108856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84063c0d1d9aae057e1c424279a859b9

SHA1
267a2c5851b5da21dea746f0417dd4b33f051a31

SHA256
8efb3b1ffff11a06d7fc95530ea8eb260de51e72cfb457cf10a6fd34c8d20ed8

SHA512
ed878d9e9632e0f9ca2a644a86dd142eb91ea74403e5829dd159f225b7230b48314d52f783aff3e80180815f95cb7daebfdc0a89e4d93eb233aebb53ebc7f111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
834c66536c70fde8f5f29d44b439fe53

SHA1
1b3e9849447d30cd7cce16728bcd4a141a348c1e

SHA256
0668ff9f9590cd03e8c1c6c1c923c239d9272b7b965b74e2be726c5405fa7913

SHA512
6b33e4ea4bb883c66c674796e0ab2e4bf03db92a9fb498e7d40af1e34483046929178c46416408d04d7757f4443693007d51d50d36ff0dbda1c84a1ee4e63150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90d696d6a8ab185c1546b111fa208281

SHA1
b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

SHA256
78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

SHA512
0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pKhsPDNgZ.bat

Filesize
223B

MD5
cb2bfa77e85d64bd07d248f891d51f8b

SHA1
c28f49e450b0ca086e0cafac2c0a2591d6ea3e32

SHA256
af20698be504d64bc2ebba76300ec3865e42908431441e3febaad116fd8259fc

SHA512
5bf6eb8dfa9b64e69457d93471a2cdbc5ac3182c48786c85a473d07adfbee51ccbc27a77daa377edd81cb0760b06933ad0d0281d88a82af8b3ab8eace381dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat.exe

Filesize
2.2MB

MD5
a54657ad972c7ed59bfec031e449c45a

SHA1
f26cc3e543842e3d59825d61add2852853078c5a

SHA256
56782c0bce98d22894af0d0354008a0793f7b24ed774c8451c2b367ebc8f2304

SHA512
1f1136608792ba227abe8988411a9127edf3d14c9f40dc9112b3205032fcd293ad7fc29ac322c7a88f005907822d1310e362ad8af32691b0fb8422a92a1060bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
5.0MB

MD5
9a4520febabd856344d00ff8867d278c

SHA1
0cbe2d841471f6d0386232951b16edcc5c19f645

SHA256
d5c5036bdeafcc68f74097fbe090d48be72d0504b446980e00276dfe6c70067a

SHA512
8223c4ed4e0b67c4363eb913206c70441325568816922b9f60b99f64551f2c28b9961f36a4133fc86fe832d2118a88674478f6b62fcd33265e2449f1f512223b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oghibi3y.ekg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe

Filesize
208B

MD5
24baff33090912fda41dbd7ff59c0758

SHA1
07b467337330f0abf1d1c34ea3d7ad305b42ebd2

SHA256
cf363df03c9082c65d6bb5c914deea16353fbd3871599953c5e51eedfab7d85e

SHA512
337d1dc80884f59fdd5eaf77fcd3cf5353a422ebed3a9bcea53bad1f9363121a2c3e912be00fb3577af0ab0700156a76325fe3ce038a3c91fa416bb318a270bf

Download Submit
C:\surrogatewebDriverPerfdll\portRuntimedll.exe

Filesize
1.9MB

MD5
5d8b6304415990e22a07694f005ea272

SHA1
93e356cac768aad2bb3c614cc3a22825064a5e42

SHA256
ee7ed4e85816e7b6d1587065b4c3c4885082a67e7a1deee08928b903db253cbf

SHA512
f04caa5285b55dbbebee789fcec122d164a5ea541e5b57d05808cff7705508eb716f3e20248dc1659236af37b1f5d64d923d5333d6c0e956d71ebaf879eb04a4

Download Submit
C:\surrogatewebDriverPerfdll\sBHMgLRm.bat

Filesize
88B

MD5
64970882419ad8bc36002ab5bc472a7c

SHA1
10ca95dbb24607f3eafaf27d9233acccd3d929ff

SHA256
cede47cf582f74d4b064d589b94a832a6260a2dc71633ccadb55782ae17e193c

SHA512
09e5b6a4c5158c33eb84d13831eec7c4cd2670b5a810a083667557dc04bcd666e440988e2584ccafa7b8308c6d38c544483752b36cc3d4ea2abf24793ffcb2f3

Download Submit
memory/1248-83-0x000001D8FA5D0000-0x000001D8FA5F2000-memory.dmp

Filesize
136KB

Download
memory/1288-266-0x00007FFAEE130000-0x00007FFAEEBF2000-memory.dmp

Filesize
10.8MB

Download
memory/1288-0-0x00007FFAEE133000-0x00007FFAEE135000-memory.dmp

Filesize
8KB

Download
memory/1288-10-0x00007FFAEE130000-0x00007FFAEEBF2000-memory.dmp

Filesize
10.8MB

Download
memory/1288-1-0x0000000000970000-0x0000000000F28000-memory.dmp

Filesize
5.7MB

Download
memory/3628-340-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-334-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-343-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-342-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-341-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-344-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-339-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-335-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-345-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3628-333-0x0000017DB72E0000-0x0000017DB72E1000-memory.dmp

Filesize
4KB

Download
memory/3908-321-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-332-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-348-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-322-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-324-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-326-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-331-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-350-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-329-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-330-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-327-0x0000000001410000-0x0000000001430000-memory.dmp

Filesize
128KB

Download
memory/3908-325-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-323-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-320-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4348-309-0x0000021D7C800000-0x0000021D7C80A000-memory.dmp

Filesize
40KB

Download
memory/4348-308-0x0000021D7C830000-0x0000021D7C8E5000-memory.dmp

Filesize
724KB

Download
memory/4348-307-0x0000021D7C810000-0x0000021D7C82C000-memory.dmp

Filesize
112KB

Download
memory/4828-46-0x000000001BCB0000-0x000000001BD00000-memory.dmp

Filesize
320KB

Download
memory/4828-50-0x0000000001910000-0x000000000191E000-memory.dmp

Filesize
56KB

Download
memory/4828-41-0x0000000000F00000-0x00000000010F0000-memory.dmp

Filesize
1.9MB

Download
memory/4828-43-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/4828-45-0x0000000003250000-0x000000000326C000-memory.dmp

Filesize
112KB

Download
memory/4828-48-0x0000000003270000-0x0000000003288000-memory.dmp

Filesize
96KB

Download
memory/4828-54-0x0000000003230000-0x000000000323C000-memory.dmp

Filesize
48KB

Download
memory/4828-52-0x0000000001930000-0x000000000193E000-memory.dmp

Filesize
56KB

Download
memory/5528-313-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5528-314-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5528-315-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5528-312-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5528-316-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5528-319-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download