dcrat | 1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-05-2023 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a29004d57b0582196965b9344e0eb7b4.exe
Size

3.5MB
MD5

a29004d57b0582196965b9344e0eb7b4
SHA1

6e0ab8638b3559750dc40e4c23623552d84b5d8c
SHA256

1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
SHA512

b097b10dcf833740b4bbd922a035c3658e51d8aeb6dd4f27ff1e8661da8c2ea47593e53b6400af5096943e6eebb27407c1c92b3ea2c10913150edad2f593b5b1
SSDEEP

98304:XFXg7GTzJBVeXbdAWTUjpI5q05tzpMpKcvA0T:XFw7CzgXRAh9O4K5m

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1592	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1592	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1592	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1592	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1592	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1592	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

containerSvc.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
behavioral1/memory/432-93-0x0000000000F20000-0x0000000001230000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe	dcrat
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe	dcrat
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe	dcrat
behavioral1/memory/1732-135-0x0000000000990000-0x0000000000CA0000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

Processes:

DCRE.exeSLIPWARE.execontainerSvc.exewininit.exe

pid process

1920 DCRE.exe
1708 SLIPWARE.exe
432 containerSvc.exe
1212
1732 wininit.exe
Loads dropped DLL 5 IoCs

Processes:

a29004d57b0582196965b9344e0eb7b4.execmd.exe

pid process

2032 a29004d57b0582196965b9344e0eb7b4.exe
2032 a29004d57b0582196965b9344e0eb7b4.exe
300 cmd.exe
300 cmd.exe
1212
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1920	DCRE.exe
1708	SLIPWARE.exe
432	containerSvc.exe
1212
1732	wininit.exe

pid	process
2032	a29004d57b0582196965b9344e0eb7b4.exe
2032	a29004d57b0582196965b9344e0eb7b4.exe
300	cmd.exe
300	cmd.exe
1212

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

containerSvc.exewininit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1248 schtasks.exe
1852 schtasks.exe
1052 schtasks.exe
756 schtasks.exe
1636 schtasks.exe
1496 schtasks.exe

pid	process
1248	schtasks.exe
1852	schtasks.exe
1052	schtasks.exe
756	schtasks.exe
1636	schtasks.exe
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SLIPWARE.execontainerSvc.exewininit.exe

pid	process
1708	SLIPWARE.exe
432	containerSvc.exe
432	containerSvc.exe
1708	SLIPWARE.exe
432	containerSvc.exe
432	containerSvc.exe
432	containerSvc.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe
1708	SLIPWARE.exe
1732	wininit.exe
1732	wininit.exe
1732	wininit.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

containerSvc.exeSLIPWARE.exewininit.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	432	containerSvc.exe
Token: SeDebugPrivilege	1708	SLIPWARE.exe
Token: SeDebugPrivilege	1732	wininit.exe
Token: SeBackupPrivilege	652	vssvc.exe
Token: SeRestorePrivilege	652	vssvc.exe
Token: SeAuditPrivilege	652	vssvc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

a29004d57b0582196965b9344e0eb7b4.exeDCRE.exeWScript.execmd.execontainerSvc.exewininit.exe

description	pid	process	target process
PID 2032 wrote to memory of 1920	2032	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 2032 wrote to memory of 1920	2032	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 2032 wrote to memory of 1920	2032	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 2032 wrote to memory of 1920	2032	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 2032 wrote to memory of 1708	2032	a29004d57b0582196965b9344e0eb7b4.exe	SLIPWARE.exe
PID 2032 wrote to memory of 1708	2032	a29004d57b0582196965b9344e0eb7b4.exe	SLIPWARE.exe
PID 2032 wrote to memory of 1708	2032	a29004d57b0582196965b9344e0eb7b4.exe	SLIPWARE.exe
PID 2032 wrote to memory of 1708	2032	a29004d57b0582196965b9344e0eb7b4.exe	SLIPWARE.exe
PID 1920 wrote to memory of 608	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 608	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 608	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 608	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 296	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 296	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 296	1920	DCRE.exe	WScript.exe
PID 1920 wrote to memory of 296	1920	DCRE.exe	WScript.exe
PID 608 wrote to memory of 300	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 300	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 300	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 300	608	WScript.exe	cmd.exe
PID 300 wrote to memory of 432	300	cmd.exe	containerSvc.exe
PID 300 wrote to memory of 432	300	cmd.exe	containerSvc.exe
PID 300 wrote to memory of 432	300	cmd.exe	containerSvc.exe
PID 300 wrote to memory of 432	300	cmd.exe	containerSvc.exe
PID 432 wrote to memory of 1732	432	containerSvc.exe	wininit.exe
PID 432 wrote to memory of 1732	432	containerSvc.exe	wininit.exe
PID 432 wrote to memory of 1732	432	containerSvc.exe	wininit.exe
PID 1732 wrote to memory of 572	1732	wininit.exe	WScript.exe
PID 1732 wrote to memory of 572	1732	wininit.exe	WScript.exe
PID 1732 wrote to memory of 572	1732	wininit.exe	WScript.exe
PID 1732 wrote to memory of 676	1732	wininit.exe	WScript.exe
PID 1732 wrote to memory of 676	1732	wininit.exe	WScript.exe
PID 1732 wrote to memory of 676	1732	wininit.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

wininit.execontainerSvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a29004d57b0582196965b9344e0eb7b4.exe
"C:\Users\Admin\AppData\Local\Temp\a29004d57b0582196965b9344e0eb7b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\DCRE.exe
"C:\Users\Admin\AppData\Local\Temp\DCRE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
"C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:432

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b2e41a-caf6-4dfd-9ac9-614a61c239a9.vbs"
7⤵
PID:572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03cfea42-a1cd-4d3a-8965-9d0a8a9e90f4.vbs"
7⤵
PID:676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
"C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\03cfea42-a1cd-4d3a-8965-9d0a8a9e90f4.vbs
Filesize
526B

MD5
dddcb3dd6651080f7e89e168e06a8563

SHA1
eb750b02463e065d8908300d9b662d7859ce54f8

SHA256
bb13837344a066a4c37da414c4e8a7ed49f3b53f2b83699eae4e8c98986a8c24

SHA512
a7a8fdfc7db2547254d747c6772bf432d7ed52bfe65481d92255ccf49f6504eddd42f9a36cda78cb32141ec83d51641d75f6db64f4a22120ca7c561903327cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5b2e41a-caf6-4dfd-9ac9-614a61c239a9.vbs
Filesize
750B

MD5
5e0257e412ac5c9e680a6456586e7e2c

SHA1
79076c57ed79a122710c39fc5b378ccd13bfb0bf

SHA256
8331dfb73b5747e08b9b18603e98e8fce0293ffd5653e19d4b0b0d4a09ae5593

SHA512
be91b83aa8e8556e5f9187daa9d4a7bec43b3a0f1a4f645d8e93d17f0e38539a3b05caaebf118c0529dd67c2deeb707c9d8b4513846400b15ffdb1257eb4583c

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat
Filesize
41B

MD5
6daccbefb453cde7378d378574cc9c7b

SHA1
92b2145db1421878ffbdad18ba046247b2a4b159

SHA256
6a770c19c51d3806aedcff4d99c12b2e74e979050d68ea84c17adf5f10684041

SHA512
7cbbed8110e59c03aedbac23c8a85c4afac7c1671b36bb1a0947b3bcb1e35305cc8dd75104993d07de18c385a73840caa3a7ca2d2e5e8d444dcf56f420104308

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe
Filesize
217B

MD5
e176c5bbb3e43b082a130d9b7af304c8

SHA1
cde44f62e6a436279028c7009833b8daf5171476

SHA256
f188560cf6c0b289e72f5d142d22f7b52b856928769a09acae5464671b54e84a

SHA512
95ec5a92acbbf337ff2519ac511fba3fe1cc56c8baa4c283e130ea2550b275b8b42c65f773d3fbe5f900f08fb788117b1d3e22574cf09210ada4224077455dbe

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
memory/432-123-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/432-117-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/432-93-0x0000000000F20000-0x0000000001230000-memory.dmp

Filesize
3.1MB

Download
memory/432-97-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/432-98-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/432-99-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/432-100-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/432-101-0x00000000007C0000-0x00000000007D6000-memory.dmp

Filesize
88KB

Download
memory/432-102-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/432-103-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/432-104-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/432-105-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/432-107-0x0000000000AE0000-0x0000000000B36000-memory.dmp

Filesize
344KB

Download
memory/432-124-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/432-122-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/432-121-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

Filesize
56KB

Download
memory/432-120-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

Filesize
32KB

Download
memory/432-111-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/432-112-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/432-113-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download
memory/432-114-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/432-115-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/432-116-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/432-94-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/432-118-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/432-119-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/1708-149-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1708-108-0x000000001ACF0000-0x000000001ACF1000-memory.dmp

Filesize
4KB

Download
memory/1708-83-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-87-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1708-106-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-86-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1708-85-0x00000000006F0000-0x000000000070A000-memory.dmp

Filesize
104KB

Download
memory/1708-84-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/1708-69-0x0000000000FD0000-0x0000000001062000-memory.dmp

Filesize
584KB

Download
memory/1708-152-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-151-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-109-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-150-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-147-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1708-148-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1708-110-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1732-135-0x0000000000990000-0x0000000000CA0000-memory.dmp

Filesize
3.1MB

Download
memory/1732-178-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/1732-136-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/1732-153-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/1732-159-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/1732-137-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download