dcrat | cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f

Analysis

max time kernel
104s
max time network
86s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Size

1.6MB
MD5

3378bb01af514e4220b658beeb1472fd
SHA1

c59f060b067dbdfc61592fc8b5a8bc1d7c025a3c
SHA256

cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f
SHA512

fb8e57a58034db378b5c4ca69ae198be47b94b02ffbe965edda5f4078e16a210cb1599e93f4512e5251cf874eb129576d0853eed4de1cc8bc0d64afb6c33d916
SSDEEP

24576:+XGq9fNAehxNnn+MsgnUQ0+vgd9Ulk5R/+VKkccpScpuw72sEeh8Sx8y:vqVNxhxFVKQKHgk5RmVKG7dr

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1940	schtasks.exe
		1760	schtasks.exe
		548	schtasks.exe
		1644	schtasks.exe
		604	schtasks.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe		HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792		HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
		1364	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Windows\\System32\\inetppui\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Windows\\System32\\inetppui\\lsass.exe\", \"C:\\Windows\\System32\\C_21025\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Windows\\System32\\inetppui\\lsass.exe\", \"C:\\Windows\\System32\\C_21025\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_SetupUtility\\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Windows\\System32\\inetppui\\lsass.exe\", \"C:\\Windows\\System32\\C_21025\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_SetupUtility\\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Windows\\System32\\inetppui\\lsass.exe\", \"C:\\Windows\\System32\\C_21025\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_SetupUtility\\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\services.exe\", \"C:\\Windows\\System32\\SensorsClassExtension\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1528	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1528	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1528	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1528	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1528	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	1528	schtasks.exe	27

Executes dropped EXE 5 IoCs

pid	Process
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1076	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1824	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1976	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\C_21025\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\C_21025\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_SetupUtility\\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_SetupUtility\\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\inetppui\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\inetppui\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\SensorsClassExtension\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\SensorsClassExtension\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\inetppui\RCX93CD.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\inetppui\lsass.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\C_21025\csrss.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\SensorsClassExtension\RCXBF08.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\inetppui\lsass.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\C_21025\886983d96e3d3e	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\SensorsClassExtension\services.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\SensorsClassExtension\c5b4cb5e9653cc	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\C_21025\RCX9C18.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\C_21025\csrss.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\C_21025\RCX9F73.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\SensorsClassExtension\services.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\inetppui\6203df4a6bafc7	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\inetppui\RCX9062.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\SensorsClassExtension\RCXC263.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX8818.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\wininit.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX84AD.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
604	schtasks.exe
1364	schtasks.exe
1940	schtasks.exe
1760	schtasks.exe
548	schtasks.exe
1644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1508	powershell.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Token: SeDebugPrivilege	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Token: SeDebugPrivilege	1076	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Token: SeDebugPrivilege	1824	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Token: SeDebugPrivilege	1976	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1508	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	34
PID 2012 wrote to memory of 1508	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	34
PID 2012 wrote to memory of 1508	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	34
PID 2012 wrote to memory of 1180	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	36
PID 2012 wrote to memory of 1180	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	36
PID 2012 wrote to memory of 1180	2012	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	36
PID 1180 wrote to memory of 308	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	37
PID 1180 wrote to memory of 308	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	37
PID 1180 wrote to memory of 308	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	37
PID 1180 wrote to memory of 1640	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	38
PID 1180 wrote to memory of 1640	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	38
PID 1180 wrote to memory of 1640	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	38
PID 1180 wrote to memory of 1540	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	39
PID 1180 wrote to memory of 1540	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	39
PID 1180 wrote to memory of 1540	1180	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	39
PID 1540 wrote to memory of 1128	1540	cmd.exe	41
PID 1540 wrote to memory of 1128	1540	cmd.exe	41
PID 1540 wrote to memory of 1128	1540	cmd.exe	41
PID 308 wrote to memory of 964	308	WScript.exe	42
PID 308 wrote to memory of 964	308	WScript.exe	42
PID 308 wrote to memory of 964	308	WScript.exe	42
PID 1540 wrote to memory of 1076	1540	cmd.exe	43
PID 1540 wrote to memory of 1076	1540	cmd.exe	43
PID 1540 wrote to memory of 1076	1540	cmd.exe	43
PID 964 wrote to memory of 472	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	44
PID 964 wrote to memory of 472	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	44
PID 964 wrote to memory of 472	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	44
PID 964 wrote to memory of 824	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	45
PID 964 wrote to memory of 824	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	45
PID 964 wrote to memory of 824	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	45
PID 964 wrote to memory of 1508	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	46
PID 964 wrote to memory of 1508	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	46
PID 964 wrote to memory of 1508	964	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	46
PID 1508 wrote to memory of 1028	1508	cmd.exe	48
PID 1508 wrote to memory of 1028	1508	cmd.exe	48
PID 1508 wrote to memory of 1028	1508	cmd.exe	48
PID 472 wrote to memory of 1824	472	WScript.exe	49
PID 472 wrote to memory of 1824	472	WScript.exe	49
PID 472 wrote to memory of 1824	472	WScript.exe	49
PID 1508 wrote to memory of 1976	1508	cmd.exe	50
PID 1508 wrote to memory of 1976	1508	cmd.exe	50
PID 1508 wrote to memory of 1976	1508	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
  "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b4daaac-5ca5-4de5-9dea-87d85f6b83a6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
      C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54627216-3d6a-4262-ac53-564624b58ace.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5b3635-240c-4b98-9a9b-b94d6f609947.vbs"
        5⤵
        
        PID:824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54d9cd5c-db79-4a4d-a28a-625fc750d7d6.vbs"
    3⤵
    PID:1640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
      "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\inetppui\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\C_21025\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\SensorsClassExtension\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b4daaac-5ca5-4de5-9dea-87d85f6b83a6.vbs

Filesize
827B

MD5
851ab31eb592c79b7dd5526fdb6e5914

SHA1
765b9647f4af6d94fc8b3472927e62621adc63a4

SHA256
9c7b5773a89f2e6fd4c8794f5c1ae52573ccdf5f5e878beadb6df7bafcee7865

SHA512
53249c9102e1797c0448a7ec273e1912346dcd0201d9759e96671c648ef021c2edf527be680d26d41249a208109e69028dd9a61021eab6d1dd242d83fccc168e

Download Submit
C:\Users\Admin\AppData\Local\Temp\54627216-3d6a-4262-ac53-564624b58ace.vbs

Filesize
826B

MD5
3d467cd900daa93d19789a201578e760

SHA1
d55935cd91903d1b37c4e25b61df94d1d1904782

SHA256
a39cf4748c5d61152c7147cd0120b2902ebf09d98869cc3373e1c2f9bf5d8f5d

SHA512
fe126c398925316e71a5e48436e1a38c6934d1e73f37a8643dca7c8f44e9844f106d6c1d678350f8c933a05b52b8ab9527f207f01ca593fed3f919f8c95ba2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\54d9cd5c-db79-4a4d-a28a-625fc750d7d6.vbs

Filesize
603B

MD5
c56269bbdabe763e2d7a7a18c22e038f

SHA1
63b058e96b960714ea9b477d08a2229e1dd06240

SHA256
97bcef09ee2ef107cd84d58dd8b8bba28451af8ad5a43e1089b0c74761bfef77

SHA512
ffc915eb4dad8b57111369c2257a1d4f1fd3cb82cfb3f6d84ef573b6eb4a08f7c7b1a0163a12147969ee5a6db64092ee1b042bad8994fa14ba49199ae21e0c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
315B

MD5
040314e42ba5fa772751743a3f136a04

SHA1
c71fb1c137c4260559f9364fd8c7751f6f3e7b3c

SHA256
cf13104a8ba681be928deb359a1af8c33a8fd37794e589025f978872c7aad852

SHA512
185eb916a6f793350eb97d134be20c3f788698797f79821886468b98a8606edb025bef96b3edeb663b6ef7c970e7743709397a99e38c91be3b2967f87bd3e0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b5b3635-240c-4b98-9a9b-b94d6f609947.vbs

Filesize
603B

MD5
c56269bbdabe763e2d7a7a18c22e038f

SHA1
63b058e96b960714ea9b477d08a2229e1dd06240

SHA256
97bcef09ee2ef107cd84d58dd8b8bba28451af8ad5a43e1089b0c74761bfef77

SHA512
ffc915eb4dad8b57111369c2257a1d4f1fd3cb82cfb3f6d84ef573b6eb4a08f7c7b1a0163a12147969ee5a6db64092ee1b042bad8994fa14ba49199ae21e0c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
315B

MD5
c31e2a1b16a38925db9e25daf7d9a6c5

SHA1
df633e519b09c858b18fa37c54f4772680800b8b

SHA256
94e096109043f67b527c074cf4d429d292c2abcf937083fb2fdf4a7ee5ad2464

SHA512
f0e207d1098eb3555a0c27126fdb6139d62fe3e0c5dbd766db7ebc758882164111a8b679a7e283baf24dc148b3b97ff3d22df9003d9431b591a269472cdb9cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\f92c622e24b28b97669ccf954489ac33d69c327d.exe

Filesize
1.6MB

MD5
c9e0b8961f095953ac7f230572dc1874

SHA1
1a56ae777cc5231cf604385c77b8bf4cc0c79321

SHA256
24ab534a3078e2d5ef795a774dc768dec14ac2d9fc85e68d1a8871c9d4268d0f

SHA512
ca78583054a6ec28bcc86238a1431bbe3e299f517082b2ebb31ce326b137395132768545d9b788f78884031b6cf0d21713b78b176e5105e52047b597c85c8962

Download Submit
memory/964-104-0x000000001B006000-0x000000001B025000-memory.dmp

Filesize
124KB

Download
memory/964-96-0x0000000000110000-0x00000000002B4000-memory.dmp

Filesize
1.6MB

Download
memory/964-106-0x000000001B006000-0x000000001B025000-memory.dmp

Filesize
124KB

Download
memory/1180-93-0x0000000000716000-0x0000000000735000-memory.dmp

Filesize
124KB

Download
memory/1180-83-0x0000000000716000-0x0000000000735000-memory.dmp

Filesize
124KB

Download
memory/1180-80-0x0000000000070000-0x0000000000214000-memory.dmp

Filesize
1.6MB

Download
memory/1508-82-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1508-75-0x000007FEEA4E0000-0x000007FEEB03D000-memory.dmp

Filesize
11.4MB

Download
memory/1508-85-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1508-86-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1508-76-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1508-74-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1508-73-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/2012-68-0x0000000001F70000-0x0000000001F7C000-memory.dmp

Filesize
48KB

Download
memory/2012-61-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2012-54-0x00000000009A0000-0x0000000000B44000-memory.dmp

Filesize
1.6MB

Download
memory/2012-67-0x0000000001F50000-0x0000000001F5A000-memory.dmp

Filesize
40KB

Download
memory/2012-66-0x0000000001F60000-0x0000000001F6C000-memory.dmp

Filesize
48KB

Download
memory/2012-65-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/2012-64-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/2012-63-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/2012-62-0x000000001B130000-0x000000001B13C000-memory.dmp

Filesize
48KB

Download
memory/2012-69-0x0000000001F80000-0x0000000001F8C000-memory.dmp

Filesize
48KB

Download
memory/2012-60-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/2012-70-0x000000001ACF6000-0x000000001AD15000-memory.dmp

Filesize
124KB

Download
memory/2012-59-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/2012-58-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2012-57-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2012-71-0x000000001ACF6000-0x000000001AD15000-memory.dmp

Filesize
124KB

Download
memory/2012-56-0x0000000000700000-0x000000000071C000-memory.dmp

Filesize
112KB

Download
memory/2012-81-0x000000001ACF6000-0x000000001AD15000-memory.dmp

Filesize
124KB

Download
memory/2012-55-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download