Overview

overview

10

Static

static

3

clear.rar

windows10-ltsc 2021-x64

10

Resubmissions

01-02-2025 12:45

250201-pzbxqsvlal 10

01-02-2025 12:44

250201-pyks9asmey 8

Analysis

  • max time kernel
    102s
  • max time network
    103s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01-02-2025 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clear.rar

  • Size

    79KB

  • MD5

    d48f855ab685f45c2c775e504929e547

  • SHA1

    e3ab6da9e65ac042fd226590cfcef2407d7ac90a

  • SHA256

    07f8ecb6b5cba0b1594f52abf15aea38ca30b47e88fde0a30bfadc2987ed3a85

  • SHA512

    fa4f372147bc6458b7b32708665a1b633e0b9ce664a3978ce1b58cde6ee49c819094a968f370554ce2c39cd544049b8093aa119862b3178737d02405beb80457

  • SSDEEP

    1536:qwLUIWRKuqamoNybu883Jf7MP4BfPVdvSQJBLTFGEbafNQg/MEgyts1LOS7xC02S:qwL8KKNUu883x7LBTbuNQuHtq6YC0wq9

Score
10/10
dcratgurcudiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7704662300:AAHZHv4I3t9TNk5ILgxvtKoFOJ0M5VPSSv8/sendPhot

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\clear.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4280
  • C:\Users\Admin\Desktop\Cleaner.exe
    "C:\Users\Admin\Desktop\Cleaner.exe"
    1⤵
    • Downloads MZ/PE file
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Roaming\clear.exe
      "C:\Users\Admin\AppData\Roaming\clear.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WindowsPowershell\VI0chP82TFTqVrG3Bjsvcsa.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsPowershell\n1fTnOesksBz0zKZA66cdxmhGX1WeII.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Users\Admin\AppData\Roaming\WindowsPowershell\RunShell32.exe
            "C:\Users\Admin\AppData\Roaming\WindowsPowershell/RunShell32.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5004
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmvgkhu3\bmvgkhu3.cmdline"
              6⤵
                PID:3236
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49.tmp" "c:\Windows\System32\CSCDC198467462149E1B9BAE4826697B0CC.TMP"
                  7⤵
                    PID:1644
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\RunShell32.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2812
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1216
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\Taskmgr.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1776
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cmd.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2208
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3888
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsPowershell\RunShell32.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3064
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3YTGTu43ZF.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1076
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:5008
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:2452
                    • C:\Program Files (x86)\Windows Multimedia Platform\Taskmgr.exe
                      "C:\Program Files (x86)\Windows Multimedia Platform\Taskmgr.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:3620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4248
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1328
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RunShell32R" /sc MINUTE /mo 12 /tr "'C:\Windows\ELAMBKUP\RunShell32.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RunShell32" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\RunShell32.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RunShell32R" /sc MINUTE /mo 7 /tr "'C:\Windows\ELAMBKUP\RunShell32.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TaskmgrT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Taskmgr.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Taskmgr" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Taskmgr.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TaskmgrT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Taskmgr.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1032
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RunShell32R" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WindowsPowershell\RunShell32.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RunShell32" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WindowsPowershell\RunShell32.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RunShell32R" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\WindowsPowershell\RunShell32.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3308

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        4
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          3eb3833f769dd890afc295b977eab4b4

          SHA1

          e857649b037939602c72ad003e5d3698695f436f

          SHA256

          c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

          SHA512

          c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          c67441dfa09f61bca500bb43407c56b8

          SHA1

          5a56cf7cbeb48c109e2128c31b681fac3959157b

          SHA256

          63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

          SHA512

          325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          6b49bbe86f59b088238097b26fbee44e

          SHA1

          f896406a2d11c5e187214e9abd56d475acb57bc9

          SHA256

          771fb2b83d66c756a1773a0fd609de0af26471a74cf5b014425967ae3ccf9fdc

          SHA512

          a330a1f69dbc4ba24708efff7cdb6b508596a41b6423c0da7b79d1925413821f3eb22e5fcfcf56956619be6047d22ece5c0e6e28dd01a048f634208893cfd369

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          8b72d556be912fa1ef73f4ab037d8561

          SHA1

          1764da38c18a1a56079b26f6123c19985627d9ba

          SHA256

          8639156780e2bab1326686893e7dc968806b907be8bb5c2228a46694838e0e06

          SHA512

          dfe69a9caeaf54965ddfa7b27f0a1136c71728b5c0a703732fca51f66bc92651303f2c2d770dccc0a44883ce3e3971ef94b0412ec1e2265d89334ef4a7567dba

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          6010d23587bd700e58a5bab253c142c8

          SHA1

          a944a9add3b0c7e4e959cb496d13244707474211

          SHA256

          b212e2b9e60bb1a0013f9f811f96dd2538203b5eb5ee81af781e48ea87e561c7

          SHA512

          3bd630073c6f4e7b813401a83458f51d0140b9e692838ca67f113fc25c0edfbdc4117dc07a0a7c0b73400903a5ba88b1a49edb44f93d6197892da8c112a55145

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          c4923d3a0323989f651b3ee65e621dc0

          SHA1

          67f9c49ffca7b75b51fba838c0143126cbb659a3

          SHA256

          3fcee0d850be1fec80ab7213a4ac5ea8e6b90f4ab167bfb15af00d5e7faa0397

          SHA512

          b399b46c95faa32a918f19829972e995522e183229cdcc0aca50f536e3f00ebbdb26da0a370555e2067a1ed76d7765fa5c4ab18e456fe7b4c7034bf6c81234e7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3YTGTu43ZF.bat
          Filesize

          190B

          MD5

          21fea76ddf975b08ef526cee31014b72

          SHA1

          50cbb494e70016d9f5d0bc544d2082e46724a8d0

          SHA256

          365d3188dc95dbea9109e2e6b7492dc94828d98d465783f6a662b5a7c00cc884

          SHA512

          747308ad454616c28a3fc40ed380e66448e256cb421ca760030b5e767a14c652f6ee2fc1b540520d2791b858ccc39cc4f1add798d3de322370f22a313d0ecc84

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xn45hv0p.s4o.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsPowershell\RunShell32.exe
          Filesize

          546KB

          MD5

          4985f55c9f5ec83f2f1446697511b50d

          SHA1

          ec5bebded9627e02c54b44af4ee7c3e848a2b760

          SHA256

          1b6db4c6550bc469a778b32f860aad99520543939f77d96e1f26925e45516cfc

          SHA512

          a8da800cda2e801676f69b73d107072386da29320881dc217a633eddd7f6b272e93e37077560feb7dfeff535e4a8e48f70b86c094bb4203f9a7908ac126904d7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsPowershell\VI0chP82TFTqVrG3Bjsvcsa.vbe
          Filesize

          234B

          MD5

          9afb657dd844fefad285552032ecc886

          SHA1

          6865b6f32d63313b04201024e90e54051693df45

          SHA256

          f73aa12c945b0462d806891248c63d6615f91adfb1e3b13a302a7c373e936749

          SHA512

          30f5f439d6deed17fd97bcaa21591691148bdca3b56c441c7fb50abb74ab2efe1c5ea09e482a923e82b9cd0c1998db7642c222380c70ad763e758fc05a062726

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsPowershell\n1fTnOesksBz0zKZA66cdxmhGX1WeII.bat
          Filesize

          82B

          MD5

          a5005fabe40459b8d2b4d10432b98a93

          SHA1

          e3545d2df80779f7bc2710be6dbcc50757cebd9d

          SHA256

          3b3bc7f58e9b4b7b908536b1cb80204c3a0677d5167ea17b876a2f687f41e3ac

          SHA512

          ad4f7b32771daf64eb4c0941f1ee4063fdeadc6db2df8615d9cf5d62786fc25af5804aa2a954a9bb9efdf55b22056a73a0c29b46f946adb1c84c2bf434aeaffb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\clear.exe
          Filesize

          827KB

          MD5

          9de87e0dc207d2fe931d2ef4739c6199

          SHA1

          b6ede8f33bdd3dbd48493f73a7aabcd7c5bfb73e

          SHA256

          a77581597346f5de29d7cbdc58c63915f56613a50a9cab38d54fee515bea7893

          SHA512

          23034afbc6abf9b215a009641ba8b5e96cb1585d05cbefba90e1c06fba38c94329a02d54adadcde60ab6833e28bb91150a874da655f8ebc388799af493701386

          Download Submit

        • C:\Users\Admin\Desktop\Cleaner.deps.json
          Filesize

          413B

          MD5

          65abeb891565d28ac2b949935a1c0a75

          SHA1

          86322e06677475e0c19db51b97300d032f93c6ce

          SHA256

          efab1bdb04ee840cf24ee27ad0945d15137d7d5335cf6cfe422723fc1687d570

          SHA512

          93534ec48e18fe2f25c5d6e57df81e95ce26d1be9135902a1c3cda8512f2f49906c86fda2cd2c7f3c3e34aae546800a506cd2ae97a756e2284c77b7a534e9d78

          Download Submit

        • C:\Users\Admin\Desktop\Cleaner.dll
          Filesize

          41KB

          MD5

          80454e38e47945bd36dbcb0594abb03f

          SHA1

          28e8d14d134545b472807c52ee716f02e3fd7f88

          SHA256

          a5a1906b41cb519d6f91568c36c39e584c6bd2b19d1b349f7db0932c9192d42b

          SHA512

          85c653486fd2fcada31e6d24b8e9410bbbb521e77e0c0853ceac0c94d572b1fafbe7ffa1757fc3ad921c4cd04de06981cc879abc428b53ad38aef5906a4ed576

          Download Submit

        • C:\Users\Admin\Desktop\Cleaner.exe
          Filesize

          135KB

          MD5

          841b140605c0d2b5ac6e945aeb72d201

          SHA1

          dfe2431ffae7b8cbd0c8553dc31b8a282e2f421d

          SHA256

          07ae59d55b840b48328a77c5a8c03e400317a939410337ee73dacbe06dfaeb55

          SHA512

          f258d2057a85e87d3e520b7b8e986924a647e65b9748e359cee7cc7959acb8fda3e65ceeeeae69c5b5f5160b81e32346ae6c922163a951af9cf02a06fa6fc2c6

          Download Submit

        • C:\Users\Admin\Desktop\Cleaner.runtimeconfig.json
          Filesize

          340B

          MD5

          253333997e82f7d44ea8072dfae6db39

          SHA1

          03b9744e89327431a619505a7c72fd497783d884

          SHA256

          28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

          SHA512

          56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

          Download Submit

        • memory/1328-54-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-48-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-49-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-52-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-51-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-53-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-50-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-43-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-44-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1328-42-0x0000016606A90000-0x0000016606A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4248-23-0x00000254642A0000-0x00000254642C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5004-59-0x0000000000070000-0x0000000000078000-memory.dmp

          Filesize

          32KB

          Download

        • memory/5004-73-0x0000000002190000-0x000000000219E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5004-75-0x00000000021B0000-0x00000000021BC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5004-77-0x00000000021C0000-0x00000000021CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5004-79-0x00000000021D0000-0x00000000021D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/5004-81-0x000000001ACC0000-0x000000001ACCC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5004-71-0x00000000020F0000-0x00000000020FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5004-69-0x00000000020E0000-0x00000000020EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5004-67-0x0000000002130000-0x0000000002148000-memory.dmp

          Filesize

          96KB

          Download

        • memory/5004-65-0x000000001B100000-0x000000001B150000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5004-64-0x0000000002110000-0x000000000212C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/5004-62-0x00000000020D0000-0x00000000020DE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5004-60-0x000000001ABC0000-0x000000001ACC0000-memory.dmp

          Filesize

          1024KB

          Download