dcrat | cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2022, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Size

1.6MB
MD5

3378bb01af514e4220b658beeb1472fd
SHA1

c59f060b067dbdfc61592fc8b5a8bc1d7c025a3c
SHA256

cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f
SHA512

fb8e57a58034db378b5c4ca69ae198be47b94b02ffbe965edda5f4078e16a210cb1599e93f4512e5251cf874eb129576d0853eed4de1cc8bc0d64afb6c33d916
SSDEEP

24576:+XGq9fNAehxNnn+MsgnUQ0+vgd9Ulk5R/+VKkccpScpuw72sEeh8Sx8y:vqVNxhxFVKQKHgk5RmVKG7dr

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3608	schtasks.exe
		4256	schtasks.exe
		760	schtasks.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\38384e6a620884		HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
		1668	schtasks.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe		HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
		2500	schtasks.exe
		1232	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\ngctasks\\lsass.exe\", \"C:\\Windows\\write\\explorer.exe\", \"C:\\odt\\OfficeClickToRun.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\ngctasks\\lsass.exe\", \"C:\\Windows\\write\\explorer.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\scrptadm\\dllhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\ngctasks\\lsass.exe\", \"C:\\Windows\\write\\explorer.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\scrptadm\\dllhost.exe\", \"C:\\PerfLogs\\sihost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\ngctasks\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\ngctasks\\lsass.exe\", \"C:\\Windows\\write\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3000	schtasks.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3000	schtasks.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	3000	schtasks.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3000	schtasks.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	3000	schtasks.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3000	schtasks.exe	22

Executes dropped EXE 7 IoCs

pid	Process
864	explorer.exe
3100	explorer.exe
872	explorer.exe
1216	explorer.exe
1832	explorer.exe
2528	explorer.exe
3452	explorer.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	explorer.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\PerfLogs\\sihost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\ngctasks\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\write\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\write\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\PerfLogs\\sihost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\ngctasks\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\scrptadm\\dllhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\scrptadm\\dllhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\scrptadm\RCXA920.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\scrptadm\RCXA99E.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\ngctasks\lsass.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\ngctasks\RCXA070.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\ngctasks\lsass.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\ngctasks\RCX9FF2.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\System32\scrptadm\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\ngctasks\6203df4a6bafc7	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\scrptadm\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\System32\scrptadm\5940a34987c991	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\38384e6a620884	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\write\7a0fd90576e088	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\RCX9CF2.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File created	C:\Windows\write\explorer.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\RCX9D70.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\write\RCXA301.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\write\RCXA38F.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
File opened for modification	C:\Windows\write\explorer.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1668	schtasks.exe
2500	schtasks.exe
1232	schtasks.exe
3608	schtasks.exe
4256	schtasks.exe
760	schtasks.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
2248	powershell.exe
2248	powershell.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
3100	explorer.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	864	explorer.exe
Token: SeDebugPrivilege	3100	explorer.exe
Token: SeDebugPrivilege	872	explorer.exe
Token: SeDebugPrivilege	1216	explorer.exe
Token: SeDebugPrivilege	1832	explorer.exe
Token: SeDebugPrivilege	2528	explorer.exe
Token: SeDebugPrivilege	3452	explorer.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2248	764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	86
PID 764 wrote to memory of 2248	764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	86
PID 764 wrote to memory of 864	764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	88
PID 764 wrote to memory of 864	764	HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe	88
PID 864 wrote to memory of 5028	864	explorer.exe	89
PID 864 wrote to memory of 5028	864	explorer.exe	89
PID 864 wrote to memory of 3552	864	explorer.exe	90
PID 864 wrote to memory of 3552	864	explorer.exe	90
PID 864 wrote to memory of 2932	864	explorer.exe	91
PID 864 wrote to memory of 2932	864	explorer.exe	91
PID 2932 wrote to memory of 2192	2932	cmd.exe	93
PID 2932 wrote to memory of 2192	2932	cmd.exe	93
PID 5028 wrote to memory of 3100	5028	WScript.exe	94
PID 5028 wrote to memory of 3100	5028	WScript.exe	94
PID 3100 wrote to memory of 4692	3100	explorer.exe	95
PID 3100 wrote to memory of 4692	3100	explorer.exe	95
PID 3100 wrote to memory of 2096	3100	explorer.exe	96
PID 3100 wrote to memory of 2096	3100	explorer.exe	96
PID 2932 wrote to memory of 872	2932	cmd.exe	98
PID 2932 wrote to memory of 872	2932	cmd.exe	98
PID 3100 wrote to memory of 3360	3100	explorer.exe	99
PID 3100 wrote to memory of 3360	3100	explorer.exe	99
PID 3360 wrote to memory of 4448	3360	cmd.exe	101
PID 3360 wrote to memory of 4448	3360	cmd.exe	101
PID 4692 wrote to memory of 1216	4692	WScript.exe	104
PID 4692 wrote to memory of 1216	4692	WScript.exe	104
PID 1216 wrote to memory of 1908	1216	explorer.exe	106
PID 1216 wrote to memory of 1908	1216	explorer.exe	106
PID 1216 wrote to memory of 3684	1216	explorer.exe	107
PID 1216 wrote to memory of 3684	1216	explorer.exe	107
PID 3360 wrote to memory of 1832	3360	cmd.exe	108
PID 3360 wrote to memory of 1832	3360	cmd.exe	108
PID 1216 wrote to memory of 2348	1216	explorer.exe	110
PID 1216 wrote to memory of 2348	1216	explorer.exe	110
PID 2348 wrote to memory of 3964	2348	cmd.exe	112
PID 2348 wrote to memory of 3964	2348	cmd.exe	112
PID 1908 wrote to memory of 2528	1908	WScript.exe	113
PID 1908 wrote to memory of 2528	1908	WScript.exe	113
PID 2348 wrote to memory of 3452	2348	cmd.exe	116
PID 2348 wrote to memory of 3452	2348	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-cfc44518bea24306b5439c2a076aca4fed2a744c68fe0124074d5fee3fc0857f.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\write\explorer.exe
  "C:\Windows\write\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9f1e56-a708-412d-8322-242571a8c05d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\write\explorer.exe
      C:\Windows\write\explorer.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b5526ce-fa29-408f-b586-fcb6fdeedb32.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\write\explorer.exe
        
        C:\Windows\write\explorer.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e0e190-0f02-487c-bf87-ab56c8173d42.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\write\explorer.exe
        
        C:\Windows\write\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ca60611-a296-4d74-a4ab-095bcc401cf7.vbs"
        7⤵
        
        PID:3684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3964
        
        C:\Windows\write\explorer.exe
        
        "C:\Windows\write\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8b70b0-64e8-4f10-9333-d227ac7ee832.vbs"
        5⤵
        
        PID:2096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4448
      - C:\Windows\write\explorer.exe
        
        "C:\Windows\write\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8b5919-c5a3-4239-ae2c-2c91240029b5.vbs"
    3⤵
    PID:3552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2192
  - - C:\Windows\write\explorer.exe
      "C:\Windows\write\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\ngctasks\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\write\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\scrptadm\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
4bbcb48b1e11c4c1152197ee29f6dc56

SHA1
de55c69709e00c7f5944cea9c1b353a8e8a002d2

SHA256
61aac74a0152ca5c2003d18586de70cdb756d32b02937a1c3931db94c4d5e0dc

SHA512
36d8125ac7eab84f5fbb24e2e9b97d936a111bca8bbeeaea85783fef2a6dff16cf51ebfd9b27d3357a2dbbf292b02447520eb95351807dd5de493628e33f395b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b5526ce-fa29-408f-b586-fcb6fdeedb32.vbs

Filesize
705B

MD5
60bbffee78ad9db0f15b9c037271b192

SHA1
8fee912f73cb67b4b68209443a563ec0656099d2

SHA256
a17f10e19a9248910ce1fe51e9904fa639d2ce99ecd21f435dc83a2a887993cf

SHA512
a1ca6010ca5c735a353ab71fd9cbfddfa3f78ea271f74e182b774a9de9a93afff8940e561e475582e7c89ed83ccfa85b12e534f74d7aeaac0dbe86babcb3654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e8b70b0-64e8-4f10-9333-d227ac7ee832.vbs

Filesize
481B

MD5
8b2dc27ddef7ece007d1ba39af8f7c13

SHA1
8879747e844e5e0e338d830ac9d7d7af00293491

SHA256
2fbec05bbd530ed91e5741a651abf369b0c9f3f9ae20a6e6c98d63fd0c5545f2

SHA512
5fc875c03fd029fd55c1c5abc20f9fca8dceb868dbcbb31babc022fef96aa6897d6fcef09109d44fe651e7e0d22c2afc8c211419085734ba0a8192aad3f00e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ca60611-a296-4d74-a4ab-095bcc401cf7.vbs

Filesize
481B

MD5
8b2dc27ddef7ece007d1ba39af8f7c13

SHA1
8879747e844e5e0e338d830ac9d7d7af00293491

SHA256
2fbec05bbd530ed91e5741a651abf369b0c9f3f9ae20a6e6c98d63fd0c5545f2

SHA512
5fc875c03fd029fd55c1c5abc20f9fca8dceb868dbcbb31babc022fef96aa6897d6fcef09109d44fe651e7e0d22c2afc8c211419085734ba0a8192aad3f00e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b9f1e56-a708-412d-8322-242571a8c05d.vbs

Filesize
704B

MD5
528494ad0f37469d4d8f2b49febecebb

SHA1
cdfa8bd23d1bf275187727134eaba449bd4504df

SHA256
8079b4e3ee0b6e84882871bb3dc347c405f4228e3c4823a7cc979aa58e9d56b5

SHA512
1ba9cf2665508aaec3ebe12b984196584a182ec0ffc23b23fb98e68bb7fb8ee79584281e4c36eaf9e873c18148be20cb243be9dc484ed89f4b7e6584771f4e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6968a4aa4ec2a186dba47e59ffe8cc474640a7c8.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6968a4aa4ec2a186dba47e59ffe8cc474640a7c8.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\88e0e190-0f02-487c-bf87-ab56c8173d42.vbs

Filesize
705B

MD5
7493aeb580e71d2b45974578c5c1000a

SHA1
b4184d27ba32921da7d6352bf150b3adeccecde0

SHA256
3ff3f491350ba3f9a363da160730bcabd613a8b26399c4f26efb2294447309a1

SHA512
b1fd6f8f8ecf5b2444b8a669c3eb58ac5fe2addce58f4847622fa673dc3c449b5c2b03cf7b1c7bcd41c97492baff34a3ce1813e44105fd158e34b499dbf98eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
193B

MD5
a98d7d55d7666a732a86f9360fe4278a

SHA1
8dae7c9aa84a1b74a4e1285da0a2a99460ef0f73

SHA256
ca2d63b6ebb25380d330d65a7fe709d8ff4be76255ef44e6de01d2b483d93c38

SHA512
cb1de449bb3baec912d9352bcd5be06c0c14081dcaad1eba4931e4134fff2059c66f00f12eb13cd9ff55c53c912c7f0ba07c71a29c5b5162e69ae1801f80c7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

Filesize
193B

MD5
305492aac492d4c25bc3d5ca837918ea

SHA1
a40872e2f06c6cffaa3a4492e81e341c0545f05f

SHA256
e6e87464cd2f7568fb4a435950cb8b99bb7c51495fde3a716dcfd2f33548e813

SHA512
7d5b32d46d55af6f8e602607e3b7e445cb4360b18575dac97ac64af5bb7c43d185e4cc7e6c27cad53d040c3de0b2d35d52d7d8c506366a2b642e196ee595c471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
193B

MD5
76e4c6a92b56a87ed9d817700df9d5f4

SHA1
b40a417a6456cc9e47f563c3e772f151ddbbca02

SHA256
41724a16638084b3c94d935c3d82b17a8fd860b38f94c4688a64b8ffd9ce51d1

SHA512
715487c4f1d909a5e82d0dcb6a9cd773e43574ae3f85b82b7866e5d3620940284f6fa6336b4a00042c026b2313d6ef6936fdc56ac340404ac919fb9df44612b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed8b5919-c5a3-4239-ae2c-2c91240029b5.vbs

Filesize
481B

MD5
8b2dc27ddef7ece007d1ba39af8f7c13

SHA1
8879747e844e5e0e338d830ac9d7d7af00293491

SHA256
2fbec05bbd530ed91e5741a651abf369b0c9f3f9ae20a6e6c98d63fd0c5545f2

SHA512
5fc875c03fd029fd55c1c5abc20f9fca8dceb868dbcbb31babc022fef96aa6897d6fcef09109d44fe651e7e0d22c2afc8c211419085734ba0a8192aad3f00e2c

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
C:\Windows\write\explorer.exe

Filesize
1.6MB

MD5
07ab34a42af0c244e8cc859db53e8961

SHA1
2845b9a94570fd4cb321f9c91c6db52ad1465998

SHA256
b61f7a286c9cb3d305ee3bd80c6dfc72bae3fd6826e792f710ed316be6e63791

SHA512
eae8b93ded0e68e88b984e632b3203430c2582c9536c4ed542bfc14bdca450578459165c9aad27b4f3a25f6d7160ab2e88b80090632afdcf9b74463a165ac4c3

Download Submit
memory/764-133-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/764-134-0x000000001B170000-0x000000001B1C0000-memory.dmp

Filesize
320KB

Download
memory/764-146-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/764-148-0x000000001CD50000-0x000000001CD54000-memory.dmp

Filesize
16KB

Download
memory/764-139-0x000000001CD54000-0x000000001CD57000-memory.dmp

Filesize
12KB

Download
memory/764-136-0x000000001CD50000-0x000000001CD54000-memory.dmp

Filesize
16KB

Download
memory/764-132-0x00000000004D0000-0x0000000000674000-memory.dmp

Filesize
1.6MB

Download
memory/764-135-0x0000000000D99000-0x0000000000D9F000-memory.dmp

Filesize
24KB

Download
memory/764-147-0x0000000000D99000-0x0000000000D9F000-memory.dmp

Filesize
24KB

Download
memory/864-145-0x0000000000640000-0x00000000007E4000-memory.dmp

Filesize
1.6MB

Download
memory/864-162-0x000000001CA50000-0x000000001CA54000-memory.dmp

Filesize
16KB

Download
memory/864-163-0x000000001CA54000-0x000000001CA57000-memory.dmp

Filesize
12KB

Download
memory/864-161-0x000000001B429000-0x000000001B42F000-memory.dmp

Filesize
24KB

Download
memory/864-149-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/864-160-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/864-156-0x000000001CA54000-0x000000001CA57000-memory.dmp

Filesize
12KB

Download
memory/864-155-0x000000001CA50000-0x000000001CA54000-memory.dmp

Filesize
16KB

Download
memory/864-154-0x000000001B429000-0x000000001B42F000-memory.dmp

Filesize
24KB

Download
memory/872-185-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/872-176-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/1216-194-0x000000001BAA9000-0x000000001BAAF000-memory.dmp

Filesize
24KB

Download
memory/1216-202-0x000000001BAA9000-0x000000001BAAF000-memory.dmp

Filesize
24KB

Download
memory/1216-188-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/1216-201-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/1832-197-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/1832-206-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/2248-144-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/2248-140-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/2248-138-0x0000019C5E7E0000-0x0000019C5E802000-memory.dmp

Filesize
136KB

Download
memory/2528-205-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/2528-210-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/3100-184-0x000000001CBF4000-0x000000001CBF7000-memory.dmp

Filesize
12KB

Download
memory/3100-182-0x000000001B669000-0x000000001B66F000-memory.dmp

Filesize
24KB

Download
memory/3100-177-0x000000001CBF0000-0x000000001CBF4000-memory.dmp

Filesize
16KB

Download
memory/3100-171-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/3100-181-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/3100-173-0x000000001B669000-0x000000001B66F000-memory.dmp

Filesize
24KB

Download
memory/3100-183-0x000000001CBF0000-0x000000001CBF4000-memory.dmp

Filesize
16KB

Download
memory/3452-209-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download
memory/3452-211-0x00007FFAFA6A0000-0x00007FFAFB161000-memory.dmp

Filesize
10.8MB

Download