dcrat | 2276a755b620a013cb576a5eb90a46bfa48a7f45441eabfba4cdab788fca9fe2

Resubmissions

03/09/2023, 17:31

230903-v37rgabb9v 10

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

6fbeeb6b50f181018db3ff6d45fc173f
SHA1

c702e6f61770cfa8cdbde7415631658695f18763
SHA256

2276a755b620a013cb576a5eb90a46bfa48a7f45441eabfba4cdab788fca9fe2
SHA512

d8ae4560a8562a6cbf82fc99ad6777a2141342e44398cf95d92f14c258ecde6a7bc0cc5c29cccd029e8b1e30b8f3177b04d2d744fb18985f9c7d67da4e9b916b
SSDEEP

24576:U2G/nvxW3Ww0tCaXyOjoyFmS8/0iNxM/KATbEZ:UbA301RpmzRNUKG2

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 45 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
992	schtasks.exe
1692	schtasks.exe
1356	schtasks.exe
2792	schtasks.exe
396	schtasks.exe
824	schtasks.exe
1676	schtasks.exe
2000	schtasks.exe
2144	schtasks.exe
2948	schtasks.exe
2044	schtasks.exe
1724	schtasks.exe
524	schtasks.exe
1584	schtasks.exe
1976	schtasks.exe
3040	schtasks.exe
2196	schtasks.exe
1772	schtasks.exe
2708	schtasks.exe
2480	schtasks.exe
964	schtasks.exe
2976	schtasks.exe
1872	schtasks.exe
3020	schtasks.exe
876	schtasks.exe
340	schtasks.exe
1636	schtasks.exe
2508	schtasks.exe
2840	schtasks.exe
2968	schtasks.exe
1420	schtasks.exe
1836	schtasks.exe
1708	schtasks.exe
1580	schtasks.exe
632	schtasks.exe
1856	schtasks.exe
1760	schtasks.exe
2668	schtasks.exe
1068	schtasks.exe
2284	schtasks.exe
2148	schtasks.exe
2336	schtasks.exe
932	schtasks.exe
2752	schtasks.exe
2756	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	Idle.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1316	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1316	schtasks.exe	32

DCRat payload 23 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001c00000001483c-9.dat	dcrat
behavioral1/files/0x001c00000001483c-10.dat	dcrat
behavioral1/files/0x001c00000001483c-12.dat	dcrat
behavioral1/files/0x001c00000001483c-11.dat	dcrat
behavioral1/memory/1388-13-0x0000000000350000-0x0000000000426000-memory.dmp	dcrat
behavioral1/files/0x0009000000015604-20.dat	dcrat
behavioral1/files/0x001c00000001483c-22.dat	dcrat
behavioral1/files/0x001c000000014970-32.dat	dcrat
behavioral1/files/0x001c000000014970-58.dat	dcrat
behavioral1/files/0x001c000000014970-59.dat	dcrat
behavioral1/memory/2056-60-0x0000000000BC0000-0x0000000000C96000-memory.dmp	dcrat
behavioral1/memory/2056-64-0x000000001B060000-0x000000001B0E0000-memory.dmp	dcrat
behavioral1/files/0x0006000000015ca9-65.dat	dcrat
behavioral1/files/0x0006000000015cbc-67.dat	dcrat
behavioral1/files/0x0006000000015dc2-69.dat	dcrat
behavioral1/files/0x0006000000015e4c-71.dat	dcrat
behavioral1/files/0x0006000000016068-73.dat	dcrat
behavioral1/files/0x0006000000016458-75.dat	dcrat
behavioral1/files/0x0006000000016aea-77.dat	dcrat
behavioral1/files/0x0006000000016c32-79.dat	dcrat
behavioral1/files/0x0006000000016cc5-81.dat	dcrat
behavioral1/files/0x0006000000016d05-83.dat	dcrat
behavioral1/files/0x0006000000016d4a-85.dat	dcrat

Executes dropped EXE 3 IoCs

pid	Process
1388	mschainsession.exe
2904	mschainsession.exe
2056	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	cmd.exe
2808	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\886983d96e3d3e	mschainsession.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe	mschainsession.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\3a6fe29a7ceee6	mschainsession.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	mschainsession.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	mschainsession.exe
File created	C:\Program Files (x86)\Google\csrss.exe	mschainsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2148	schtasks.exe
876	schtasks.exe
2756	schtasks.exe
1356	schtasks.exe
2668	schtasks.exe
1856	schtasks.exe
3040	schtasks.exe
1692	schtasks.exe
2336	schtasks.exe
1636	schtasks.exe
2948	schtasks.exe
2480	schtasks.exe
524	schtasks.exe
2968	schtasks.exe
1872	schtasks.exe
2144	schtasks.exe
1772	schtasks.exe
1580	schtasks.exe
2840	schtasks.exe
1068	schtasks.exe
396	schtasks.exe
632	schtasks.exe
1420	schtasks.exe
2000	schtasks.exe
2508	schtasks.exe
2044	schtasks.exe
964	schtasks.exe
340	schtasks.exe
1676	schtasks.exe
2196	schtasks.exe
1760	schtasks.exe
1584	schtasks.exe
1976	schtasks.exe
2752	schtasks.exe
2792	schtasks.exe
1724	schtasks.exe
2976	schtasks.exe
824	schtasks.exe
992	schtasks.exe
3020	schtasks.exe
1708	schtasks.exe
2708	schtasks.exe
1836	schtasks.exe
932	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1388	mschainsession.exe
2904	mschainsession.exe
2904	mschainsession.exe
2904	mschainsession.exe
2904	mschainsession.exe
2904	mschainsession.exe
2904	mschainsession.exe
2904	mschainsession.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe
2056	Idle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	mschainsession.exe
Token: SeDebugPrivilege	2904	mschainsession.exe
Token: SeDebugPrivilege	2056	Idle.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2992	2116	DCRatBuild.exe	28
PID 2116 wrote to memory of 2992	2116	DCRatBuild.exe	28
PID 2116 wrote to memory of 2992	2116	DCRatBuild.exe	28
PID 2116 wrote to memory of 2992	2116	DCRatBuild.exe	28
PID 2992 wrote to memory of 2808	2992	WScript.exe	29
PID 2992 wrote to memory of 2808	2992	WScript.exe	29
PID 2992 wrote to memory of 2808	2992	WScript.exe	29
PID 2992 wrote to memory of 2808	2992	WScript.exe	29
PID 2808 wrote to memory of 1388	2808	cmd.exe	31
PID 2808 wrote to memory of 1388	2808	cmd.exe	31
PID 2808 wrote to memory of 1388	2808	cmd.exe	31
PID 2808 wrote to memory of 1388	2808	cmd.exe	31
PID 1388 wrote to memory of 2904	1388	mschainsession.exe	42
PID 1388 wrote to memory of 2904	1388	mschainsession.exe	42
PID 1388 wrote to memory of 2904	1388	mschainsession.exe	42
PID 2904 wrote to memory of 2416	2904	mschainsession.exe	79
PID 2904 wrote to memory of 2416	2904	mschainsession.exe	79
PID 2904 wrote to memory of 2416	2904	mschainsession.exe	79
PID 2416 wrote to memory of 1552	2416	cmd.exe	81
PID 2416 wrote to memory of 1552	2416	cmd.exe	81
PID 2416 wrote to memory of 1552	2416	cmd.exe	81
PID 2416 wrote to memory of 2056	2416	cmd.exe	82
PID 2416 wrote to memory of 2056	2416	cmd.exe	82
PID 2416 wrote to memory of 2056	2416	cmd.exe	82
PID 2056 wrote to memory of 1892	2056	Idle.exe	114
PID 2056 wrote to memory of 1892	2056	Idle.exe	114
PID 2056 wrote to memory of 1892	2056	Idle.exe	114
PID 1892 wrote to memory of 1068	1892	cmd.exe	115
PID 1892 wrote to memory of 1068	1892	cmd.exe	115
PID 1892 wrote to memory of 1068	1892	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\DQlCEO1bA9.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\H37Ju7Ua1ogGG20tS0zG.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe
      "C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QeUQ3rayi0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1552
        
        C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe
        
        "C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe"
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "mschainsession" /f
1⤵
- Process spawned unexpected child process
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "mschainsessionm" /f
1⤵
- Process spawned unexpected child process
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininit" /f
1⤵
- Process spawned unexpected child process
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininitw" /f
1⤵
- Process spawned unexpected child process
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "schtasks" /f
1⤵
- Process spawned unexpected child process
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "schtaskss" /f
1⤵
- Process spawned unexpected child process
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "audiodg" /f
1⤵
- Process spawned unexpected child process
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "audiodga" /f
1⤵
- Process spawned unexpected child process
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorer" /f
1⤵
- Process spawned unexpected child process
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorere" /f
1⤵
- Process spawned unexpected child process
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsm" /f
1⤵
- Process spawned unexpected child process
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsml" /f
1⤵
- Process spawned unexpected child process
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsv" /f
1⤵
- Process spawned unexpected child process
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsvs" /f
1⤵
- Process spawned unexpected child process
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsm" /f
1⤵
- Process spawned unexpected child process
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsml" /f
1⤵
- Process spawned unexpected child process
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogon" /f
1⤵
- Process spawned unexpected child process
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogonw" /f
1⤵
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhost" /f
1⤵
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostt" /f
1⤵
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorer" /f
1⤵
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorere" /f
1⤵
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\f3b6ecef712a24

Filesize
501B

MD5
ff51e30563c0991670ae586a847d99d3

SHA1
b1eadb8e2b86334fbcc55f9dc9d657c0c3862bac

SHA256
d7b9755d68974c3784ad3a61ba1204013cf13f3606fdb18446d3463d78fdc460

SHA512
451cb4be9042119f1b24a5e5412ceb6f60cfdad25fb2b38dfdae92d36d5659f8c0f6461125f9c6f262e61b015fc46516d13253c062a1b7eb04fef9361f80daaf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\b75386f1303e64

Filesize
510B

MD5
5d3c9aeedeff6ed2452dd909f4ac7619

SHA1
09d4ae642161c5a8214ceecbaa548e846c881159

SHA256
64783d9951a5bc6b373d2fd45a06537983ae20495adad110112bd97407b20a77

SHA512
a112d514bcd824fb90f389a9596e0ea24e7bc1f93b9e108d0c1022831d3b512c3eb68b96b2749c38f0b3ec030d28b404f8c12bee027f682de0f7c5a4aa8cd4b7

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\101b941d020240

Filesize
218B

MD5
f5837d8dd2274ad706385658216562fc

SHA1
36cd900d3b3c4631be8f3021d3cad8e99fc27c40

SHA256
ba8f2cec3e569728a1f9e7502df4d2d0ec429f4d645b1c81e0c53541df1080fd

SHA512
6a626404d14dc594034101b3feaafdc685863b29595d36e80fc3cfca973c5216613c6a0c249fd4b7320b623e0a4338165479c67a032dbdc6d796f0211ef500c3

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7a0fd90576e088

Filesize
850B

MD5
f4a945a35866cece6606658e6fd253f1

SHA1
3e9a35bd963d2370cf788141ef42c1a5ced06bd8

SHA256
ecc75999cd0d2503da484a4720a49726ca13180a531dd4e482b29bc99a0c4a35

SHA512
4a47b5e3a7ab92d0534414749424d58147dc8f1d26143946d8a8035a1d5ca1f75516650394d616e3daf8d8035d1c78ae2e261a371b0707d2c22d65c361932ce6

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\56085415360792

Filesize
845B

MD5
e1fbec00c5d440ac4a5e165c54b3e77e

SHA1
3feb1824d7d9490017e88e64aca6a99288eda9a6

SHA256
88312c7495bfb0b51af86c18e549592202cce3bfc1f38b922051c0b8ca05b573

SHA512
6537a2304b8dc269dff2fba770df71bf8f021e435bfbbc1514fcc93011c2baf73cdafa2992d7017dfd1e5aeb8d321430ae1f20ea7cb73ea038f87e1d045b2be8

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Program Files (x86)\Google\886983d96e3d3e

Filesize
944B

MD5
d714ee2c3b54f5d9bb63c89f4db529b6

SHA1
783634c1e8ea0e84ebdd17ca225c9ed9c51ef363

SHA256
9bd2f0d7bcaa866cb05960acd1d27ef5624c75e93c5e1479353f2da15cf499eb

SHA512
2fe5ed6fe30ad69649b675468f30d1472e1863aeac44424d3e8daaeafddf80d55f1fe8202e26a0a74cd11b35f5489035d8b9273b80df4ff77c462040cff7d8b9

Download Submit
C:\Program Files (x86)\Google\csrss.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\3a6fe29a7ceee6

Filesize
15B

MD5
c62fcc75ed63d971bdc21b6a7d014ef2

SHA1
8026f45d609b1fd340bd4a5eeaea58629e5c6ade

SHA256
b16edc5fbc2e3273dfd1ad09c2ef7c0840842b95cdc335f09168b61e9854f57e

SHA512
ba3b1193236967910a7a1b5bc74f3c5247673fdd57f7ca46a25fe3841e28960eec657a9b68ab34169c385006c8bb1d456028166c8fda79bd7fb50e798e14b448

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Program Files (x86)\Windows Portable Devices\101b941d020240

Filesize
731B

MD5
3c7f7f652aedc61f30c6877792ee7e92

SHA1
9848b7d42619eec7f24a9925d6c2f36dea9c00f8

SHA256
c5f677f1c3554aa301e6ec91f7d70d4bfbb0be209a4844fdb54df0a5e81003b9

SHA512
6d88791a422acd13d673b24735d72683813ea3043b8e83ef48e4fd6cb639cd242a31de638ceeeefebdd6fd335e4b348963aee1945dfa11af83fd49793ea9d845

Download Submit
C:\Program Files (x86)\Windows Portable Devices\lsm.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\6ccacd8608530f

Filesize
510B

MD5
dfb0601a454f891880595200c24ce703

SHA1
f867ec404573e34ad0cc5d1b763c4665ed8e3da0

SHA256
30d446ba74c9d26e367bbbbcedc8d10ef830e455d7a7d893b62a5e05a71d838d

SHA512
5474ae705e73d7cbb1fe1fd1097c2950bed62510b4f3953ff0457ea73026d23054d59874650b640b7280926da84938c7128b7f8c55d0116fd4daa4c8d208de94

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\6ccacd8608530f

Filesize
510B

MD5
dfb0601a454f891880595200c24ce703

SHA1
f867ec404573e34ad0cc5d1b763c4665ed8e3da0

SHA256
30d446ba74c9d26e367bbbbcedc8d10ef830e455d7a7d893b62a5e05a71d838d

SHA512
5474ae705e73d7cbb1fe1fd1097c2950bed62510b4f3953ff0457ea73026d23054d59874650b640b7280926da84938c7128b7f8c55d0116fd4daa4c8d208de94

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\7a0fd90576e088

Filesize
134B

MD5
c9c454d4eb4c44ea4d464b35341f1643

SHA1
fab05b382a08fa6e6267a374fa2b97adff5311b7

SHA256
2ea96126623ffbc80e9efb29cfaabb8dcda0225b49f6d396d796beb2cbbae459

SHA512
6192e752fe10c6f01d45180cfc731ea5d411b2205117b4f8ff8f92eea89467a1a0a792f2b6936432435bcc1e1fcc0d6c1e37cd29755a5e5428f883a80d28fa35

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\Idle.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\cc11b995f2a76d

Filesize
241B

MD5
1e9317d6168b58d521dec44e794b7baf

SHA1
f3233912c50688e87e7abb15cf70f4ddc1723a50

SHA256
9388874395e564c995cc1efccac8f983d74199ba6d89c67c3a3918f77ca4ac01

SHA512
bec9f839dcd30b24792a3bec51939bd5230584ba9865f1d4b2127698509124c7934298a2056f53ac253262527616aca9dc7a316be2ea76f6a94d22a90aaf5354

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\explorer.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\winlogon.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
306B

MD5
39ac538b2c9e6c62d8936c4e7723d4a8

SHA1
bb8dcf8b489998e9e1b37a9877d7fae4079ce8b7

SHA256
474120d7e1c424f4f1c97bd52360c69d00f7394808d5ae1f52d8811c5a4ac03e

SHA512
e3647fb96554377b7b554d2144a6e6a3582a77e13945f28c15b75e9cb9fd92ff4d0943e6e90dac26fb0efcdc11c10ba6a0b3eb1d0ab0f9d794a7731817f73f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
306B

MD5
39ac538b2c9e6c62d8936c4e7723d4a8

SHA1
bb8dcf8b489998e9e1b37a9877d7fae4079ce8b7

SHA256
474120d7e1c424f4f1c97bd52360c69d00f7394808d5ae1f52d8811c5a4ac03e

SHA512
e3647fb96554377b7b554d2144a6e6a3582a77e13945f28c15b75e9cb9fd92ff4d0943e6e90dac26fb0efcdc11c10ba6a0b3eb1d0ab0f9d794a7731817f73f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\QeUQ3rayi0.bat

Filesize
222B

MD5
2bc8b860c257f742ed35ebb247f014c1

SHA1
4f57610ad896dba41fd388093453405726cc7e4f

SHA256
ffefd29457f35bf0b370f076ec5d23e6f5610a595060812710104e6ed449e452

SHA512
9984f0fae4de8fb517e46bb296629144b964c48fe07fb690b03de8a2c0d87c1d8ab9167453ae55a81d7c094d0c55c97b94cf3f5bb0c94c102ad37cf03d65987f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\DQlCEO1bA9.vbe

Filesize
215B

MD5
5be1d19543bc92fb54ccb6f3ab00e644

SHA1
d23fe266ecf933a4f60d4f26a2154b76053a8afd

SHA256
8cab4227c1db0cb29bd3ac75c62920c9d7b3ad0a9cd51444a2f608db8908938a

SHA512
7bc07c7b4acdb27d526c38bc996859e6d73c4417fd4e6f13710f6b9e7ab27567b1696c7722562347e067368b70fb2727a973cc11eba4c42dbacff0a8bd58d2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\H37Ju7Ua1ogGG20tS0zG.bat

Filesize
42B

MD5
bbbca900f446634f6886af63a3e1f560

SHA1
9af8b79fc355921464156e5ba57c7978d2f12b0c

SHA256
f4fb536a0a21383956d5cee93f761569f41e6d82d9a5a7f6b378187b5993b407

SHA512
441d0aa0f7ecc4c83e6a92f82a71ac11caa9fb67b77e8e39dc01260ebea80927f9bfcca9739c6c6fa60133ad5ceadb35c8d582ff163f273d5293371afb25c196

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskhost.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
C:\Users\Public\Libraries\42af1c969fbb7b

Filesize
903B

MD5
a4450b9a290420767e2c63d5741e5656

SHA1
34935e373dd25cf31ac33f0ed264b2de65c95e07

SHA256
d9db524c4fd7efa444f393b17f4dc536f8f663123aa82c416bc1e5b78659a910

SHA512
f3245abb6d0452dd6b087996d05f86a82265df40fd38dcec3c49466175355556264ef7a1d8f52ce9dbf407aa4ed612b420787b5dce53c429fbdab75d75b418e6

Download Submit
C:\Users\Public\Libraries\audiodg.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
\Users\Admin\AppData\Local\Temp\mscrtdllcommon\mschainsession.exe

Filesize
827KB

MD5
e10639a80968af74c3b54cbd4b16faf3

SHA1
a845294b16fdb222ff6ad77d07f90e2aa5889f1e

SHA256
bcc8c754ce229e852d368dd059f414968fed373e45d9e14ae358a7d2aab13245

SHA512
2d5650876bda2cc06cabe5293e2e51a41b1acbb409ef8b146075c0fba640dfb93bb16c50bc231d2a624524523eca2b0cf6effcfb8acdad0fd6441bf8e50b546a

Download Submit
memory/1388-24-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-15-0x000000001AF20000-0x000000001AFA0000-memory.dmp

Filesize
512KB

Download
memory/1388-14-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-13-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/2056-63-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-64-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2056-62-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2056-61-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-60-0x0000000000BC0000-0x0000000000C96000-memory.dmp

Filesize
856KB

Download
memory/2056-98-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-56-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-25-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/2904-23-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download