Overview

overview

10

Static

static

3

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_f5a8391ab9a526413109128a1524f134_black-basta_cova_luca-stealer.exe

  • Size

    2.2MB

  • MD5

    f5a8391ab9a526413109128a1524f134

  • SHA1

    6ad323f39914b8e906f00281eb70a92f7c0a0c37

  • SHA256

    681004db18c97eaf371b788f51630be4c29560495829c0b75bae1055f208e9d3

  • SHA512

    99b7058fc8eb0cc48b8eefdb8618968b8f5190c6db543ee4f1c5e31f9c74b3d92d81cb638d5cbe2daafb83f00bf4f9d9451060aa4752f443dad33192dacccbdc

  • SSDEEP

    49152:IBJ4GiOrdde7gQp6MnZkbWDR7s6AsP83RMZlY7r+d:yiX7gS6iZkAY53RMZl3d

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_f5a8391ab9a526413109128a1524f134_black-basta_cova_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_f5a8391ab9a526413109128a1524f134_black-basta_cova_luca-stealer.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SoundPad\cDOkiMgptasLhdn5YrDYggAoa1CfuwL8AKPRvHwPWoRQiukeOneR5T.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoundPad\QVxLdHh9hSZggBMD2Bm1BqE9yWceCWKEsBQtfGJIn3GYqgEP.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5828
        • C:\Users\Admin\AppData\Local\Temp\SoundPad\soundpadhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\SoundPad/soundpadhelper.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4a1a673fc74137b1e3a2cc/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/8d19d0e8d5fcbfdcd3d915bf7314/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4a1a673fc74137b1e3a2cc\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\8d19d0e8d5fcbfdcd3d915bf7314\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\8d19d0e8d5fcbfdcd3d915bf7314\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4a1a673fc74137b1e3a2cc\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SoundPad\soundpadhelper.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1660
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NH5xPKhMUc.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:6104
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4816
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:3420
                • C:\4a1a673fc74137b1e3a2cc\conhost.exe
                  "C:\4a1a673fc74137b1e3a2cc\conhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\4a1a673fc74137b1e3a2cc\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\4a1a673fc74137b1e3a2cc\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\4a1a673fc74137b1e3a2cc\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\8d19d0e8d5fcbfdcd3d915bf7314\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\8d19d0e8d5fcbfdcd3d915bf7314\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\8d19d0e8d5fcbfdcd3d915bf7314\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\8d19d0e8d5fcbfdcd3d915bf7314\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\8d19d0e8d5fcbfdcd3d915bf7314\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\8d19d0e8d5fcbfdcd3d915bf7314\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\4a1a673fc74137b1e3a2cc\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\4a1a673fc74137b1e3a2cc\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:6136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\4a1a673fc74137b1e3a2cc\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "soundpadhelpers" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\SoundPad\soundpadhelper.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5260
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "soundpadhelper" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\SoundPad\soundpadhelper.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "soundpadhelpers" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\SoundPad\soundpadhelper.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4264

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        750e4be22a6fdadd7778a388198a9ee3

        SHA1

        8feb2054d8a3767833dd972535df54f0c3ab6648

        SHA256

        26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

        SHA512

        b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        681e61532ff712d8340986e1c9913ef5

        SHA1

        84a8edb57465d211a98980b5788c18a2584edcdf

        SHA256

        d6bd79a01f6f2501487a2e7cad738bd2fb6ee772191a79d15cad1b995bcdb66a

        SHA512

        26822d15d1c676fe6f59470b828b783751187947a22f2e0baded0629473f78e33f3c048e0bc3548e1e4ad817fadac968a91dca1f1231433204df0b5ead03462f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        35be6e176d67a5af3e24a7f54b4a9574

        SHA1

        900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

        SHA256

        c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

        SHA512

        09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        c667bc406c30dedf08683212c4a204b5

        SHA1

        4d713119a8483f32461a45e8291a2b8dc1fc4e7d

        SHA256

        0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

        SHA512

        1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        4552709998d20ebebb7d79b1e2caba85

        SHA1

        a136173b2c02a5c678afbfb05d859dcf7fce5e73

        SHA256

        e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

        SHA512

        53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        c926b492b1d39d04f6e9656ec7f5877d

        SHA1

        c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

        SHA256

        b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

        SHA512

        df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        56addce8ad0788fa7ed121c8239f965f

        SHA1

        ac9482a712ad866d8d8ba241489613344883ba32

        SHA256

        cf8f4a84a53607b45f9dfed75c34776b03777d64ac3c44112ccc5638957557d8

        SHA512

        ecb98df46c6ccec6e9f401f1c8456b26cf38afe82e2bea885c8dc10619fcbaba9e89432f055b1bdbcce40254b06b1e20e330ea4ac724e4f0c673a5697c548521

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        8d7ef90d60b004c1ca554407c4ce6d0f

        SHA1

        8d57fc1cbb9776bb85c8c740a7ad2bc10c531fb4

        SHA256

        5a2c61fa1c443a345a6f9961b72b01489f7ceaf7da9af4f9f217ae5e81a8bffb

        SHA512

        263d0d91a24adbe5e536a48145976876e88d09b57435efcafd622391f8c586c0d282c7cb78275074e039e3108474c1b13199be1adbcbd79990e6e6b3d60f2809

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e69ced0a44ced088c3954d6ae03796e7

        SHA1

        ef4cac17b8643fb57424bb56907381a555a8cb92

        SHA256

        49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

        SHA512

        15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        0f29d4b03e157fa020f2b793683543af

        SHA1

        1b0603266b02dd38444489e0d5e18ee93b6b766a

        SHA256

        eec5516679b34fb0efe983a81cc19b0b5cf33fd3191d5d8fd5c3fb082a55d410

        SHA512

        b0cca3aa1373f813a7a16a1ca94b7e048d83f8875b28949d7ece9668c5cb847250d1468080a85e478833a8876b668a8a6e0ef4df4a289ca66badac3af00dc5c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3357c199be211a745818714039e25935

        SHA1

        7d50d07ff2e234f3d10a88363796cbd615b1e9a3

        SHA256

        668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38

        SHA512

        052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        80dfd43d9904cb4bdd37f6934f47ccf8

        SHA1

        72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

        SHA256

        a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

        SHA512

        793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        94f35f261590c8add6967ae13ee05fab

        SHA1

        e0e5828e2c4b7d1937fde13dbfcc63f59c1899c7

        SHA256

        db908d6ae1a8ae3e77e93332eaa24f8316aa9e65285996439d35a133024e1a63

        SHA512

        3e3438bc5e8dfe738d8cf374d444f9f8600cadac6071708426b7852d3a84f0363f79ae6895f11206b5c7fbb8c850725318196c4171112634cfef3d2d70d1e8fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NH5xPKhMUc.bat
        Filesize

        213B

        MD5

        eb87dea8a5179f2a491d2283ef5bee8a

        SHA1

        40ad869dd695d4e733e841adf1b4947258ed8f90

        SHA256

        17f1b1e74db8b72794a137c009dbcce77031e202b80b45e0dd009a4284bd8cfd

        SHA512

        6e0a39570977811d20a3a94319cbdcc0e850d8d12b193da9ed370da515d4abd98793d8ae5c1aa0b6953877cd0a31f8b3c60d8d177f3b2378a482c13cf1303f9e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SoundPad\QVxLdHh9hSZggBMD2Bm1BqE9yWceCWKEsBQtfGJIn3GYqgEP.bat
        Filesize

        89B

        MD5

        584e152fa5fd3875e13bcfc30a1f87bb

        SHA1

        76030af815e5901b01c6a9c8d8229443017d73da

        SHA256

        58d081f31e09658e3082991bbee29efe7df4c367176f3aa029ce7e8857fe8a41

        SHA512

        eed7e66451e3e322a32adfc874edf93c4771bf0ff9c8936439269ff36fff7754ca83a3df3361e102d8304fee5bf397c6b102abd1a1fe7d92230c7023cc70ebd1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SoundPad\cDOkiMgptasLhdn5YrDYggAoa1CfuwL8AKPRvHwPWoRQiukeOneR5T.vbe
        Filesize

        238B

        MD5

        8aa0a732bf82731921e4552a331cd01b

        SHA1

        cb5c0251b34bea77266d32b91edbbde118a96928

        SHA256

        8dbc65719f282edbeceaa88e3b3196340ce39cdbc2358ffce61db818dcfad419

        SHA512

        95dc9862f23343b041b60c104d6a7c63c5bccf16bd53444d1940c56ab4a7bbd3fa65aea961f3619fefefe5c3ca62e9d39cb68c737d0fa1f04494d4309ec37a6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SoundPad\soundpadhelper.exe
        Filesize

        1.9MB

        MD5

        330b927769bbabe0025186de858e206c

        SHA1

        12ede2779bfcd24fb244efe25fd4e8f4aeef8741

        SHA256

        27a05eb64a04c2e438c724741e455005e1c075403a25788303d6dc054e20a55b

        SHA512

        c0e66f48c190f6b7a1bdb65df9fda443386f7d0ff0c43d05bc4bdfebe113ccd7f29b0451096688e5180f3e3c145b74849d66679ef06819663836e26e16c81207

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32zclzub.qvd.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/2384-57-0x000001E7FAEF0000-0x000001E7FAF12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5032-20-0x00000000027C0000-0x00000000027D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/5032-22-0x0000000002650000-0x000000000265C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/5032-18-0x000000001B120000-0x000000001B170000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5032-17-0x00000000027A0000-0x00000000027BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/5032-15-0x0000000002640000-0x000000000264E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/5032-13-0x0000000000260000-0x000000000044E000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/5032-12-0x00007FF9CBDD3000-0x00007FF9CBDD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5032-24-0x0000000002780000-0x000000000278E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/5032-26-0x0000000002790000-0x000000000279C000-memory.dmp

        Filesize

        48KB

        Download