dcrat | 54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece

Analysis

max time kernel
185s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a31d7675a4858c9c1ddb7c818782d5.exe
Size

1.4MB
MD5

04a31d7675a4858c9c1ddb7c818782d5
SHA1

991b6bd9ed58869e8e408158b99a050791e15f17
SHA256

54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece
SHA512

2fac1ab544a88b0476e474d0990ab24fa5a678f0ae983aca1666910774d85a0b5dcc2040ef5fff21a25ef04d57fdc35de34af28d24c73af8b66c163b890b5d97
SSDEEP

24576:u2G/nvxW3WieCO0Kktota4CJjOEn3v02OSPm0woqLvs4eI3x9WE+4Q:ubA3jY4oLCJjNn/wGb8eASb

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe04a31d7675a4858c9c1ddb7c818782d5.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4676	schtasks.exe
3992	schtasks.exe
812	schtasks.exe
4988	schtasks.exe
3660	schtasks.exe
2700	schtasks.exe
3384	schtasks.exe
4508	schtasks.exe
4424	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	04a31d7675a4858c9c1ddb7c818782d5.exe
2380	schtasks.exe
4488	schtasks.exe
792	schtasks.exe
3972	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

driverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\cmd.exe\", \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\sihost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\cmd.exe\", \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\sihost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\cmd.exe\", \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\sihost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\sihost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\cmd.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\cmd.exe\", \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\""	driverSavesPerfsvcCrtNetSvc.exe

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4520	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral2/memory/3892-17-0x0000000000F40000-0x0000000001066000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\conhost.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\RuntimeBroker.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\sihost.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe04a31d7675a4858c9c1ddb7c818782d5.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	04a31d7675a4858c9c1ddb7c818782d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	driverSavesPerfsvcCrtNetSvc.exe

Executes dropped EXE 9 IoCs

Processes:

pid	process
3892	driverSavesPerfsvcCrtNetSvc.exe
404	driverSavesPerfsvcCrtNetSvc.exe
4788	driverSavesPerfsvcCrtNetSvc.exe
4320	driverSavesPerfsvcCrtNetSvc.exe
4748	driverSavesPerfsvcCrtNetSvc.exe
4440	driverSavesPerfsvcCrtNetSvc.exe
3216	driverSavesPerfsvcCrtNetSvc.exe
3808	driverSavesPerfsvcCrtNetSvc.exe
4736	driverSavesPerfsvcCrtNetSvc.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:/Users/Admin/AppData/Local/\\conhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:/Users/Admin/AppData/Local/\\sihost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:/Users/Admin/AppData/Local/\\winlogon.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:/Users/Admin/AppData/Local/\\sihost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:/Users/Admin/AppData/Local/\\cmd.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:/Users/Admin/AppData/Local/\\winlogon.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:/Users/Admin/AppData/Local/\\sihost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:/Users/Admin/AppData/Local/\\conhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:/Users/Admin/AppData/Local/\\cmd.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:/Users/Admin/AppData/Local/\\sihost.exe\""	driverSavesPerfsvcCrtNetSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
792	schtasks.exe
812	schtasks.exe
3384	schtasks.exe
3972	schtasks.exe
4488	schtasks.exe
4424	schtasks.exe
4988	schtasks.exe
2380	schtasks.exe
3660	schtasks.exe
4676	schtasks.exe
2700	schtasks.exe
3992	schtasks.exe
4508	schtasks.exe

Modifies registry class 8 IoCs

Processes:

driverSavesPerfsvcCrtNetSvc.exe04a31d7675a4858c9c1ddb7c818782d5.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	04a31d7675a4858c9c1ddb7c818782d5.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

pid	process
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe
3892	driverSavesPerfsvcCrtNetSvc.exe
3892	driverSavesPerfsvcCrtNetSvc.exe
404	driverSavesPerfsvcCrtNetSvc.exe
404	driverSavesPerfsvcCrtNetSvc.exe
4788	driverSavesPerfsvcCrtNetSvc.exe
4788	driverSavesPerfsvcCrtNetSvc.exe
4320	driverSavesPerfsvcCrtNetSvc.exe
4748	driverSavesPerfsvcCrtNetSvc.exe
4440	driverSavesPerfsvcCrtNetSvc.exe
3216	driverSavesPerfsvcCrtNetSvc.exe
3216	driverSavesPerfsvcCrtNetSvc.exe
3808	driverSavesPerfsvcCrtNetSvc.exe
3808	driverSavesPerfsvcCrtNetSvc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

driverSavesPerfsvcCrtNetSvc.exepowershell.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	pid	process
Token: SeDebugPrivilege	3892	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	404	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4788	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4320	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4748	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4440	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3216	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3808	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4736	driverSavesPerfsvcCrtNetSvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04a31d7675a4858c9c1ddb7c818782d5.execmd.exeWScript.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exe

description	pid	process	target process
PID 2324 wrote to memory of 1744	2324	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 2324 wrote to memory of 1744	2324	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 2324 wrote to memory of 1744	2324	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 2324 wrote to memory of 2816	2324	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 2324 wrote to memory of 2816	2324	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 2324 wrote to memory of 2816	2324	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 2816 wrote to memory of 1496	2816	cmd.exe	powershell.exe
PID 2816 wrote to memory of 1496	2816	cmd.exe	powershell.exe
PID 2816 wrote to memory of 1496	2816	cmd.exe	powershell.exe
PID 1744 wrote to memory of 2020	1744	WScript.exe	cmd.exe
PID 1744 wrote to memory of 2020	1744	WScript.exe	cmd.exe
PID 1744 wrote to memory of 2020	1744	WScript.exe	cmd.exe
PID 2020 wrote to memory of 3892	2020	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2020 wrote to memory of 3892	2020	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3892 wrote to memory of 824	3892	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3892 wrote to memory of 824	3892	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 824 wrote to memory of 1472	824	cmd.exe	chcp.com
PID 824 wrote to memory of 1472	824	cmd.exe	chcp.com
PID 824 wrote to memory of 4436	824	cmd.exe	w32tm.exe
PID 824 wrote to memory of 4436	824	cmd.exe	w32tm.exe
PID 824 wrote to memory of 404	824	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 824 wrote to memory of 404	824	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 404 wrote to memory of 4788	404	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 404 wrote to memory of 4788	404	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 4788 wrote to memory of 5028	4788	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 4788 wrote to memory of 5028	4788	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 5028 wrote to memory of 4356	5028	cmd.exe	backgroundTaskHost.exe
PID 5028 wrote to memory of 4356	5028	cmd.exe	backgroundTaskHost.exe
PID 5028 wrote to memory of 4212	5028	cmd.exe	w32tm.exe
PID 5028 wrote to memory of 4212	5028	cmd.exe	w32tm.exe
PID 5028 wrote to memory of 4320	5028	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 5028 wrote to memory of 4320	5028	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 4320 wrote to memory of 2728	4320	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 4320 wrote to memory of 2728	4320	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 2728 wrote to memory of 2956	2728	cmd.exe	chcp.com
PID 2728 wrote to memory of 2956	2728	cmd.exe	chcp.com
PID 2728 wrote to memory of 2700	2728	cmd.exe	w32tm.exe
PID 2728 wrote to memory of 2700	2728	cmd.exe	w32tm.exe
PID 2728 wrote to memory of 4748	2728	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2728 wrote to memory of 4748	2728	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 4748 wrote to memory of 3064	4748	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 4748 wrote to memory of 3064	4748	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3064 wrote to memory of 5068	3064	cmd.exe	chcp.com
PID 3064 wrote to memory of 5068	3064	cmd.exe	chcp.com
PID 3064 wrote to memory of 2108	3064	cmd.exe	w32tm.exe
PID 3064 wrote to memory of 2108	3064	cmd.exe	w32tm.exe
PID 3064 wrote to memory of 4440	3064	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3064 wrote to memory of 4440	3064	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 4440 wrote to memory of 1908	4440	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 4440 wrote to memory of 1908	4440	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 1908 wrote to memory of 1516	1908	cmd.exe	chcp.com
PID 1908 wrote to memory of 1516	1908	cmd.exe	chcp.com
PID 1908 wrote to memory of 3020	1908	cmd.exe	w32tm.exe
PID 1908 wrote to memory of 3020	1908	cmd.exe	w32tm.exe
PID 1908 wrote to memory of 3216	1908	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 1908 wrote to memory of 3216	1908	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3216 wrote to memory of 3664	3216	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3216 wrote to memory of 3664	3216	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3664 wrote to memory of 3512	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 3512	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 3960	3664	cmd.exe	w32tm.exe
PID 3664 wrote to memory of 3960	3664	cmd.exe	w32tm.exe
PID 3664 wrote to memory of 3808	3664	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3664 wrote to memory of 3808	3664	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04a31d7675a4858c9c1ddb7c818782d5.exe
"C:\Users\Admin\AppData\Local\Temp\04a31d7675a4858c9c1ddb7c818782d5.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driverSaves\LHhDtlPF.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\driverSaves\elBs4FCCK.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HxvwKUv1my.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1472

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4436

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sqR4HfFLWG.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DYOm9xMXVA.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2700

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:2956

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ndJJnAP553.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSrcBxm2wK.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:3020

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:1516

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VOBinTamT0.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:3960

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:3512

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSrcBxm2wK.bat"
18⤵
PID:1516

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:3580

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:2388

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
20⤵
PID:3440

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
21⤵
PID:1208

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
22⤵
PID:2700

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
23⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\driverSaves\mKLt1agSNSLByUmKEYd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4212

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2108

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5068

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5b884080fd4f94e2695da25c503f9e33b9605b83
Filesize
194B

MD5
750a1085fdb74fab12cc0084dbc3595a

SHA1
4eb17a6ed04bcaa80c0be315d53c3e9dcc7b319f

SHA256
fe71fd17fd8d33caa8703b807dd425a0dfed2a963578adc76f3418de818a0db5

SHA512
0c7855d816b8591c8684696b47fbe6f595455018308bed7b40e3df52d0961bcd7063f6fedaef2a238dfd5d8bdc08ed694c1a11d5a639d36df865e12689dca578

Download Submit
C:\Users\Admin\AppData\Local\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3
Filesize
665B

MD5
5990814faa5ed769b70e67bf3268f4a2

SHA1
23792caef5f4a26649d7007c6bd7e48e5fb8ed30

SHA256
ef054214211da9ed00dd7fe915c6b63329fcfdfe89ac46f80e8e4b72bc0706e8

SHA512
55c39f806a6c0b09ec6bc09218073bd4dc1d0592ffc26a6ac338eeb5c2b3897f42bf3a5284436321cb16976756912e2bcab54ba16e1eba827876d633f0f71bfa

Download Submit
C:\Users\Admin\AppData\Local\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d
Filesize
578B

MD5
4a55834b57c639b8d1ea6e6a70eadd70

SHA1
cfadb69e0ff94d52ea3c9644ce7ba6741d96c985

SHA256
d32be2c8d0023b0ecf87f84884e0f5e241777074d592aefaed61529e352f2e0b

SHA512
e22368dbc84b16a5bd54ae6cd6c4efca7606abbe035fc6bc24c6be0423859db59f701ac1123ed64524eb07962fc365c52812c84a4c90e44823bf9b05ee8e979b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\driverSavesPerfsvcCrtNetSvc.exe.log
Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe
Filesize
553KB

MD5
9e8009d4deee4f130d6ca27e94e92f50

SHA1
1b98187bae5abfdcc7db7eacb0f2b8e0a4bf2dc4

SHA256
879e98ebd15fd72df0d16fd5bd5d7d5acf7956e36d56ba49ff6e2b97f53a405f

SHA512
932fc2c267ddede427bd1bfe608c0c34c94755e4ed87f33ca27ecf8480d0978159a353edb2aece0555e8810857161e5edbbccbbb33db0f7b5f45bc84928a7367

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSrcBxm2wK.bat
Filesize
262B

MD5
b207aa6d145d6b7ba5d4500d7ac80a77

SHA1
05301f3971c1a57dea3cf03e0f7eedddea715ca1

SHA256
4f0f229e329dfd6fa683aef4fd2dfa09f6b6563840164aae612e721b3ca5acf6

SHA512
4ec1fc17d483d256da8a60d995af3a784371306eb2656117c5341d331447e852bf0b5fc5362ac35a70e59b7f279975dedeb70df7967f674cb32c2cba6d742a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYOm9xMXVA.bat
Filesize
262B

MD5
19b5546fdf2c0224d7efd340bfaa00b6

SHA1
e79793c260cc812e84dc7a45e68bb899ec05df65

SHA256
ca25d15be378ab571b7492e9ea81b20d80b96a7106573f94576e9f625d51954c

SHA512
a54009d3080dfc723c066037c156b6ea8c1f6d6bc703f2313eff11f917bcb624794d6a4d596920a1372f9935642afe7afb911c28d311d5e2069e62c49c592667

Download Submit
C:\Users\Admin\AppData\Local\Temp\HxvwKUv1my.bat
Filesize
262B

MD5
4c9725407de2d16deb3557b441b386da

SHA1
20ff953ea759c282a155b53f27edd5657d5233bb

SHA256
f4f1bc2496001f356fe4ba6b3864aeaaf7c465391fa0604c76ea7f42973e00c8

SHA512
36b588aa5d3b75b2e48dacccc62d239c980b24ac32df9d7770117b56716fe7f4e6db7c4e26b6270076097bd1c5770fe2df19ed51804e310f0d4191c4eb20d508

Download Submit
C:\Users\Admin\AppData\Local\Temp\VOBinTamT0.bat
Filesize
262B

MD5
61ecd70f47f3ea1a5855e8ea090fd258

SHA1
bde23ba6fb29bf765d63793d6891558ac0efd255

SHA256
42669ef9c11d66ce3e69b211699b7b1d5e906f4bcdb2bcf068792d742d1b5b5b

SHA512
c8f36fb362d8eff4b21494e40ea27ff95497ae6ac0c966aa5fd638a6d6791d1bb0ee5aa6b253dd10a6570c6af153b04f097c60444b0351c2f42319ee70f8510c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4kllmwy.uym.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndJJnAP553.bat
Filesize
262B

MD5
c74002f0254ec602a6f27d31ed6a7c64

SHA1
c53be938771625b9ecb71495bbcf8a41c2548616

SHA256
dd56d7bd80d0a46901935a9f0ad717e761c259d2b09e17a0e7117864dcb85eb3

SHA512
9ed70b391eb4b97f964557d9dde66878680d9905d0d5a3aaea3347327320d52201652beef1f728405401c39ee60ace7910a01f48941f85b36cd12221be9eb999

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqR4HfFLWG.bat
Filesize
262B

MD5
49e2db4c8765ed8438e3b6f433125e6a

SHA1
5005432d525a7a115e39a8080fa0ef3125867d69

SHA256
07ed4a0a9b7cc073311bcf326d6b30d1c9bc551775b8cfd5c2717dad4372468a

SHA512
6dbdae92da6ba52eaa95feada0c3888dfc5980ee46db7215f8f4f5a2b4bacebccc0098062a5f21fa5f2716a7ec13ab45feb59d944c8f0a6da0097ef8734ecc47

Download Submit
C:\Users\Admin\AppData\Local\conhost.exe
Filesize
348KB

MD5
d3e3cfee773a8fa621e4f2c521fe816a

SHA1
9e257c459d9a618c31ce38fdda215f8d5683ca0a

SHA256
91a3854fe58239785e20f3895943ac065f162ce521928f6026f25727566a1c92

SHA512
3c5dfa9965231d1358f32d01ee58e7aa2ecf3ccdf6142aed40e7ea01052379becbdd119fde0fdee8d697a28aebba282d0034d69d92332ef959f85c7be82c33af

Download Submit
C:\Users\Admin\AppData\Local\sihost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\driverSaves\LHhDtlPF.vbe
Filesize
197B

MD5
d54777130b957cce5fd98b014f22692b

SHA1
d4b1c5213c32b5d50535f5532a68fce906cd34a6

SHA256
b23e310e937017998d80569f06c4c2de1098bb8a313167332036ec4f77d75957

SHA512
0193afdbf04ae421a44133c41576e0bf719e9ea2c3044d7f75c0dc59bbe9565c04ebe942ccf5f4fea123b4073c51a51b8319b3b85ae5b683e38ae51e14f25232

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
339KB

MD5
b02475cd29f1991416ccba2136df027c

SHA1
a9d1bb2fda0a83a8b0cdd4d60b8a6dde0d6a7977

SHA256
2d90c4175210e3360f8fda70f24eef5ef53c57dce19e3cc19a30c6672e92c647

SHA512
26ae0ac48ad7af18c62931db59f8659e1814dd958000fcadcd096817b2b93bcfb2d1c6029853a73e900f96e433484139c23e229ff5988012a35a1a8caa42a231

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
195KB

MD5
2c850194f2da574c23e9235b904dc8b4

SHA1
0261d912975e83e2ebaf125abb9494298657908f

SHA256
71a111ccb00a7542fafdbf807c746a6ec1154015da772338d0d2c51855fd982c

SHA512
f461c2bfc2d11c81f35cac6fc1b5876f56c7d7da5223fba420a951be53ab54047ed741c995d7b0dec08e4f7054c62a48a2d414bc53216f5cc195e22358507ff9

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
540KB

MD5
b97201aa9ebe096879da2406370b12bb

SHA1
371125d1d82e0b399a3ab1b67813949e915611ef

SHA256
52cdb8f2974ee6a4ffc0463e7e0841d89bd485112ac674fb8b66e98b5ce3627e

SHA512
e711238a5c504514dd6130613071faa06ec454811c8782ab1c1d91fc1be71f0dd2b5c790fed17657b58c651d1f241d6c6aaa380774cdb772985ef83f82c047c9

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
443KB

MD5
5764904425a00203fd5be8211a9c753d

SHA1
0a709c95894171816b76ee1817a4b56abbb1f54c

SHA256
1f00b4a4e8c51ca0783b0d15eee5eea20ab527a93bf7814249c3a9ebf6e0cc68

SHA512
1df4125e4a66c6a428596b988eae1771d68cee234bb0a72160c11083d780d7899707cda73d996e7f54c790cbff0b1376d01431a7ebc5b1a5dd06ed4d2cdc9379

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
201KB

MD5
a345e143a61be385d2b19871b10aeab4

SHA1
ff848b6c91b82c5942535f21a92bc225a39d113d

SHA256
46bf528b5e336f2a05ff73891650d5434b056c89615913c9c3894479a1ef35b4

SHA512
e0b22c83e1cb76a46422d3d03bd2c7cacce3e213e4741a5d2e2ee618b352df1aaa80ef7e6f8499c80356f926975679ca6c70beac1a7490b39dc96218d3007d94

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
96KB

MD5
900ed6e99c1533c26db6bdb6c2956e96

SHA1
a2dcc8693808732e5ded3b61812a95f9a9728da9

SHA256
cad31ad3526d8d1ed9f55938ce3d522fc640b1a7e5f2b3744db4e6f77e4d2083

SHA512
aebab9472466461b0531b56cb9a973177783d1b8efcff809e4f7c6f1678187b73fad75d103497974eeed693980884bf78a45731f893460e4bff206b36dc75369

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
397KB

MD5
61630d028a8fc8699b24d962c9026cef

SHA1
6568487dfef9968d25991b330053a4cacdb250c3

SHA256
81723cfb4a24893d3b0c02dddff0afc725df0d4b38df7fc397c0b7a5e227ec17

SHA512
e3c8d9084bef72f406435d50de1161f7b508bda87388cd41a1237fc8da3a2aa789a65c70bfa1944875f27d31f87c46473004c6d1f566b23a56738ef43b2fa37b

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
1.1MB

MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
187KB

MD5
46891f53bf371cf3c599316e3a8f1690

SHA1
5983f7ce467f7b3d612b6e61cf5553d151c8c194

SHA256
286521cd14d89355b85d13fe94d3cf6e48153082b5b92474347e4f69c64d4ee7

SHA512
24b4dc844c687f0aa586ca2ea9e28169dc7cbb3e15ec759f53121a09abdb2ac8840d9df53a7ba638b6e97ac190bf56659438ce8bce2ce6ed5f061f9041d91e00

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
416KB

MD5
715f094789550625318cb630dfaf5cdb

SHA1
6a51122002731f01b7a7f78926b6546d5300facd

SHA256
0d86557152fa74ffab9150e63fec6d5df877450fc5611c965510e5d35749e498

SHA512
5a2b5c60ea1fc393c928c60a54aa0651cd790550696b182d53a9b916884409acfc80866e756193dc13857447f0c14b471251460fecef7a6c166c54ac185178d4

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
302KB

MD5
9d85136a83f428c74169fd8109603793

SHA1
ee5ab927f37e556b213a56182b134c3239c565ac

SHA256
17dd9fee909422c9f6a7d9b5fed3292675999196254b0a6b21f21a88d8fde439

SHA512
2844806c3cf71a643570e09aa0ef705e44a8dd272d7b431ecdfe9d1921ccf39329e23934b2fc42c125b69ce20056b4feb0845ae23efa18f6506dba5c20aab0d4

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
697KB

MD5
fa3d853a26b2efde7f54d52ed330417f

SHA1
a34441b374deebdd7e50cc9444141931582aaf6d

SHA256
c6f2cda02a31e275b88a83643e9fe99b173a4d22023ce28cb51771c4bd10da5b

SHA512
f562cfd229e57928b6d78e25ca0fd08c86752f879a4e075cd092dc6425d008ea42889c22b7c26d5abfc10070d448b2ef5ab44464da8a03144aa9d7ae97a1e30c

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
483KB

MD5
2c4dd87f8aa4067fd9e2074de7f4df2f

SHA1
36b76d3d98614172fe00e69f59c8a037be5b50d0

SHA256
774185516f0b5c9f9e6b16f99d9680fca2d3a7a2296d5f1c0876953c549f582b

SHA512
cd2bf5e3d35daa1c4e2922e9b2f0fa09f11ea9e2ccd131ced8729cbe5c25e47b5eddb23abed929c63e8de74059c360f0e8553da91fafa0abbce0607bbe649002

Download Submit
C:\driverSaves\elBs4FCCK.bat
Filesize
48B

MD5
0407b07db5462f371d0d7f737ebf973a

SHA1
11dd83edf63febdf2ea0935e8e7b2519a610738b

SHA256
7b0b55005ae6b1a19be753db6670fc86088a6618888eb7780566ff0ce122a8ec

SHA512
ef5cbed89e0b72627a2345b6a0a0aa7690b4e9991816794e50b6125d78a1e2e9d6268216ae14397d14cb67f9c78ef1ef0c5ad2913f1d7b3d57a125f872267474

Download Submit
C:\driverSaves\mKLt1agSNSLByUmKEYd.bat
Filesize
159B

MD5
6c33c4c06022c7bbafc1d01caedd0abe

SHA1
3f6e17989ce3a09d183adc2380c659525a67ca0a

SHA256
f78fccb7e0e0d6b89508758a739041ff31526ead74167d22f2aa754db19f6dfc

SHA512
e1f0a27d5c459bdf865612a513d62bd0d6ef7ba649c7f4fac003e6d684cad6e3469b532c0e8689589bdb8ccc0b3d7442f875e97cfec9105481b6b5733f8137b0

Download Submit
memory/404-58-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/404-52-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/404-51-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/1208-157-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-150-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-151-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/1496-44-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/1496-37-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download
memory/1496-75-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1496-55-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1496-23-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1496-25-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/1496-22-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1496-57-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1496-61-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1496-40-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/1496-59-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1496-26-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/1496-27-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/1496-18-0x0000000002EF0000-0x0000000002F26000-memory.dmp

Filesize
216KB

Download
memory/1496-20-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1496-21-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/2700-159-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

Filesize
64KB

Download
memory/2700-163-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/2700-158-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-113-0x000000001B420000-0x000000001B430000-memory.dmp

Filesize
64KB

Download
memory/3216-112-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-121-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3440-145-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3440-149-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3440-143-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3808-123-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3808-124-0x0000000002D00000-0x0000000002D10000-memory.dmp

Filesize
64KB

Download
memory/3808-133-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3808-136-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3892-47-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/3892-19-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/3892-17-0x0000000000F40000-0x0000000001066000-memory.dmp

Filesize
1.1MB

Download
memory/3892-24-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/4320-72-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download
memory/4320-82-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/4320-71-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/4440-102-0x000000001B290000-0x000000001B2A0000-memory.dmp

Filesize
64KB

Download
memory/4440-101-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-110-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-144-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-139-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4736-138-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-95-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-99-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-96-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

Filesize
64KB

Download
memory/4788-69-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/4788-60-0x00007FFCC9D80000-0x00007FFCCA841000-memory.dmp

Filesize
10.8MB

Download
memory/4860-164-0x00007FFCC9E30000-0x00007FFCCA8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4860-165-0x000000001AF70000-0x000000001AF80000-memory.dmp

Filesize
64KB

Download