dcrat | 1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02357599.exe
Size

3.5MB
MD5

a29004d57b0582196965b9344e0eb7b4
SHA1

6e0ab8638b3559750dc40e4c23623552d84b5d8c
SHA256

1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
SHA512

b097b10dcf833740b4bbd922a035c3658e51d8aeb6dd4f27ff1e8661da8c2ea47593e53b6400af5096943e6eebb27407c1c92b3ea2c10913150edad2f593b5b1
SSDEEP

98304:XFXg7GTzJBVeXbdAWTUjpI5q05tzpMpKcvA0T:XFw7CzgXRAh9O4K5m

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2484	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2484	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

containerSvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
behavioral2/memory/2044-180-0x0000000000CC0000-0x0000000000FD0000-memory.dmp	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Windows\Containers\serviced\SLIPWARE.exe	dcrat
C:\Windows\Containers\serviced\SLIPWARE.exe	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02357599.exeDCRE.exeWScript.execontainerSvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	02357599.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	DCRE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	containerSvc.exe

Executes dropped EXE 4 IoCs

Processes:

DCRE.exeSLIPWARE.execontainerSvc.exeSLIPWARE.exe

pid process

4600 DCRE.exe
2248 SLIPWARE.exe
2044 containerSvc.exe
1188 SLIPWARE.exe

pid	process
4600	DCRE.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
1188	SLIPWARE.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

containerSvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe

Drops file in Program Files directory 10 IoCs

Processes:

containerSvc.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe	containerSvc.exe
File created	C:\Program Files\Windows Security\csrss.exe	containerSvc.exe
File created	C:\Program Files\Windows Security\886983d96e3d3e	containerSvc.exe
File created	C:\Program Files\7-Zip\ea9f0e6c9e2dcd	containerSvc.exe
File created	C:\Program Files\7-Zip\taskhostw.exe	containerSvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\csrss.exe	containerSvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\886983d96e3d3e	containerSvc.exe
File created	C:\Program Files\VideoLAN\wscript.exe	containerSvc.exe
File created	C:\Program Files\VideoLAN\817c8c8ec737a7	containerSvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\55b276f4edf653	containerSvc.exe

Drops file in Windows directory 6 IoCs

Processes:

containerSvc.exe

description	ioc	process
File created	C:\Windows\SchCache\Idle.exe	containerSvc.exe
File created	C:\Windows\SchCache\6ccacd8608530f	containerSvc.exe
File created	C:\Windows\Vss\dllhost.exe	containerSvc.exe
File created	C:\Windows\Vss\5940a34987c991	containerSvc.exe
File created	C:\Windows\Containers\serviced\SLIPWARE.exe	containerSvc.exe
File created	C:\Windows\Containers\serviced\03d1d7421cd9bb	containerSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
208	schtasks.exe
2216	schtasks.exe
4888	schtasks.exe
3704	schtasks.exe
1172	schtasks.exe
1188	schtasks.exe
4292	schtasks.exe
3604	schtasks.exe
4024	schtasks.exe
3104	schtasks.exe
3344	schtasks.exe
5080	schtasks.exe
4424	schtasks.exe
1536	schtasks.exe
1608	schtasks.exe
1724	schtasks.exe
3832	schtasks.exe
1484	schtasks.exe
2656	schtasks.exe
3200	schtasks.exe
1192	schtasks.exe
828	schtasks.exe
1292	schtasks.exe
640	schtasks.exe
2232	schtasks.exe
2928	schtasks.exe
1044	schtasks.exe
1964	schtasks.exe
1932	schtasks.exe
1936	schtasks.exe
4808	schtasks.exe
3972	schtasks.exe
3772	schtasks.exe
4484	schtasks.exe
2868	schtasks.exe
2132	schtasks.exe
2752	schtasks.exe
3872	schtasks.exe
4104	schtasks.exe
2448	schtasks.exe
4860	schtasks.exe
4680	schtasks.exe
4780	schtasks.exe
4752	schtasks.exe
1628	schtasks.exe
232	schtasks.exe
4528	schtasks.exe
4132	schtasks.exe
1328	schtasks.exe
2768	schtasks.exe
3340	schtasks.exe
436	schtasks.exe
2312	schtasks.exe
4300	schtasks.exe

Modifies registry class 2 IoCs

Processes:

containerSvc.exeDCRE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	containerSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	DCRE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SLIPWARE.execontainerSvc.exe

pid	process
2248	SLIPWARE.exe
2248	SLIPWARE.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2044	containerSvc.exe
2248	SLIPWARE.exe
2044	containerSvc.exe
2044	containerSvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SLIPWARE.execontainerSvc.exeSLIPWARE.exe

description pid process

Token: SeDebugPrivilege 2248 SLIPWARE.exe
Token: SeDebugPrivilege 2044 containerSvc.exe
Token: SeDebugPrivilege 1188 SLIPWARE.exe

description	pid	process
Token: SeDebugPrivilege	2248	SLIPWARE.exe
Token: SeDebugPrivilege	2044	containerSvc.exe
Token: SeDebugPrivilege	1188	SLIPWARE.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

02357599.exeDCRE.exeWScript.execmd.execontainerSvc.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 4600	1600	02357599.exe	DCRE.exe
PID 1600 wrote to memory of 4600	1600	02357599.exe	DCRE.exe
PID 1600 wrote to memory of 4600	1600	02357599.exe	DCRE.exe
PID 1600 wrote to memory of 2248	1600	02357599.exe	SLIPWARE.exe
PID 1600 wrote to memory of 2248	1600	02357599.exe	SLIPWARE.exe
PID 4600 wrote to memory of 4152	4600	DCRE.exe	WScript.exe
PID 4600 wrote to memory of 4152	4600	DCRE.exe	WScript.exe
PID 4600 wrote to memory of 4152	4600	DCRE.exe	WScript.exe
PID 4600 wrote to memory of 4640	4600	DCRE.exe	WScript.exe
PID 4600 wrote to memory of 4640	4600	DCRE.exe	WScript.exe
PID 4600 wrote to memory of 4640	4600	DCRE.exe	WScript.exe
PID 4152 wrote to memory of 988	4152	WScript.exe	cmd.exe
PID 4152 wrote to memory of 988	4152	WScript.exe	cmd.exe
PID 4152 wrote to memory of 988	4152	WScript.exe	cmd.exe
PID 988 wrote to memory of 2044	988	cmd.exe	containerSvc.exe
PID 988 wrote to memory of 2044	988	cmd.exe	containerSvc.exe
PID 2044 wrote to memory of 5044	2044	containerSvc.exe	cmd.exe
PID 2044 wrote to memory of 5044	2044	containerSvc.exe	cmd.exe
PID 5044 wrote to memory of 2336	5044	cmd.exe	w32tm.exe
PID 5044 wrote to memory of 2336	5044	cmd.exe	w32tm.exe
PID 5044 wrote to memory of 1188	5044	cmd.exe	SLIPWARE.exe
PID 5044 wrote to memory of 1188	5044	cmd.exe	SLIPWARE.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

containerSvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\02357599.exe
"C:\Users\Admin\AppData\Local\Temp\02357599.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\DCRE.exe
"C:\Users\Admin\AppData\Local\Temp\DCRE.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
"C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe"
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TsTCUT9uM4.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2336

C:\Windows\Containers\serviced\SLIPWARE.exe
"C:\Windows\Containers\serviced\SLIPWARE.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs"
3⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
"C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SLIPWARES" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\SLIPWARE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SLIPWARE" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\SLIPWARE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SLIPWARES" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\SLIPWARE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsTCUT9uM4.bat
Filesize
208B

MD5
4cb9655990842a9dece956128505ac20

SHA1
f75f28f081391f097cd24a0ff2c87bca417d9fea

SHA256
23d7e9ac3479e00efea16373ea9375eade8545d8f08b810a74663b19b58d62e0

SHA512
7cd0e0229226d0ca5d05ecebf9e2f7481591ead7f16c7e70afa3090f4448a30efc1766bf82209d07a5cc4ed1ad97184bbe886776a5bd08acd7f3a56f4387e250

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat
Filesize
41B

MD5
6daccbefb453cde7378d378574cc9c7b

SHA1
92b2145db1421878ffbdad18ba046247b2a4b159

SHA256
6a770c19c51d3806aedcff4d99c12b2e74e979050d68ea84c17adf5f10684041

SHA512
7cbbed8110e59c03aedbac23c8a85c4afac7c1671b36bb1a0947b3bcb1e35305cc8dd75104993d07de18c385a73840caa3a7ca2d2e5e8d444dcf56f420104308

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe
Filesize
217B

MD5
e176c5bbb3e43b082a130d9b7af304c8

SHA1
cde44f62e6a436279028c7009833b8daf5171476

SHA256
f188560cf6c0b289e72f5d142d22f7b52b856928769a09acae5464671b54e84a

SHA512
95ec5a92acbbf337ff2519ac511fba3fe1cc56c8baa4c283e130ea2550b275b8b42c65f773d3fbe5f900f08fb788117b1d3e22574cf09210ada4224077455dbe

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Windows\Containers\serviced\SLIPWARE.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Windows\Containers\serviced\SLIPWARE.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
memory/1188-233-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2044-181-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/2044-229-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/2044-183-0x000000001C920000-0x000000001CE48000-memory.dmp

Filesize
5.2MB

Download
memory/2044-182-0x000000001BB10000-0x000000001BB60000-memory.dmp

Filesize
320KB

Download
memory/2044-180-0x0000000000CC0000-0x0000000000FD0000-memory.dmp

Filesize
3.1MB

Download
memory/2248-170-0x00000299CA3E0000-0x00000299CA3E8000-memory.dmp

Filesize
32KB

Download
memory/2248-169-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-172-0x00000299CA3F0000-0x00000299CA3FE000-memory.dmp

Filesize
56KB

Download
memory/2248-168-0x00000299CA3C0000-0x00000299CA3DA000-memory.dmp

Filesize
104KB

Download
memory/2248-153-0x00000299C8720000-0x00000299C87B2000-memory.dmp

Filesize
584KB

Download
memory/2248-225-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-226-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-227-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-228-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-171-0x00000299E2C10000-0x00000299E2C48000-memory.dmp

Filesize
224KB

Download
memory/2248-175-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-174-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-173-0x00000299E2CD0000-0x00000299E2CE0000-memory.dmp

Filesize
64KB

Download