dcrat | aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/05/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
Size

19.8MB
MD5

3969991942bb5b6130977411ae258ab8
SHA1

c391e670488d73dc79c2acfab1e845d9c3e5227e
SHA256

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28
SHA512

ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a
SSDEEP

393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score

10^/10

dcrat umbral xworm execution infostealer rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2652-18-0x0000000000F80000-0x0000000000FC0000-memory.dmp	family_umbral
behavioral1/files/0x0007000000015c85-17.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000161b3-38.dat	family_xworm
behavioral1/memory/2968-39-0x0000000000AC0000-0x0000000000AD6000-memory.dmp	family_xworm

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1776	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1776	schtasks.exe	37

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0032000000015ba8-14.dat	dcrat
behavioral1/files/0x0007000000015cb0-55.dat	dcrat
behavioral1/memory/2524-56-0x0000000000A30000-0x0000000000B06000-memory.dmp	dcrat
behavioral1/memory/2504-123-0x0000000000D80000-0x0000000000E56000-memory.dmp	dcrat

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000161b3-38.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2968-39-0x0000000000AC0000-0x0000000000AD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables attemping to enumerate video devices using WMI 2 IoCs

resource	yara_rule
behavioral1/memory/2652-18-0x0000000000F80000-0x0000000000FC0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/files/0x0007000000015c85-17.dat	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing possible sandbox analysis VM names 2 IoCs

resource	yara_rule
behavioral1/memory/2652-18-0x0000000000F80000-0x0000000000FC0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
behavioral1/files/0x0007000000015c85-17.dat	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Detects executables containing possible sandbox analysis VM usernames 2 IoCs

resource	yara_rule
behavioral1/memory/2652-18-0x0000000000F80000-0x0000000000FC0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/files/0x0007000000015c85-17.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Detects executables containing possible sandbox system UUIDs 2 IoCs

resource	yara_rule
behavioral1/memory/2652-18-0x0000000000F80000-0x0000000000FC0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
behavioral1/files/0x0007000000015c85-17.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
1548	powershell.exe
1504	powershell.exe
2060	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe

Executes dropped EXE 7 IoCs

pid	Process
2640	Nursultan (17).exe
2584	t.bat
2652	Umbral.exe
2500	Nursultan.exe
2968	LoaderMas.exe
2524	Chainprovider.exe
2504	explorer.exe

Loads dropped DLL 3 IoCs

pid	Process
2640	Nursultan (17).exe
2012	cmd.exe
2012	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\0a1fd5f707cd16	Chainprovider.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	Chainprovider.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	Chainprovider.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Chainprovider.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\79ee6d3de8e076	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\cmd.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\ebf1f9fa8afd6d	Chainprovider.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Migration\lsm.exe	Chainprovider.exe
File created	C:\Windows\Migration\101b941d020240	Chainprovider.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe	Chainprovider.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\886983d96e3d3e	Chainprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
644	schtasks.exe
976	schtasks.exe
2836	schtasks.exe
2676	schtasks.exe
2912	schtasks.exe
2088	schtasks.exe
2220	schtasks.exe
2292	schtasks.exe
1796	schtasks.exe
884	schtasks.exe
3024	schtasks.exe
1772	schtasks.exe
1908	schtasks.exe
1532	schtasks.exe
1368	schtasks.exe
708	schtasks.exe
1268	schtasks.exe
1824	schtasks.exe
624	schtasks.exe
2936	schtasks.exe
2772	schtasks.exe
2996	schtasks.exe
904	schtasks.exe
1552	schtasks.exe
1056	schtasks.exe
804	schtasks.exe
2408	schtasks.exe
1684	schtasks.exe
1244	schtasks.exe
452	schtasks.exe
1876	schtasks.exe
1344	schtasks.exe
2604	schtasks.exe
1580	schtasks.exe
2436	schtasks.exe
540	schtasks.exe
3048	schtasks.exe
2168	schtasks.exe
1840	schtasks.exe
1628	schtasks.exe
792	schtasks.exe
2284	schtasks.exe
1100	schtasks.exe
1680	schtasks.exe
1524	schtasks.exe
2736	schtasks.exe
2908	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2500	Nursultan.exe
2524	Chainprovider.exe
2524	Chainprovider.exe
2524	Chainprovider.exe
2008	powershell.exe
1548	powershell.exe
1504	powershell.exe
2060	powershell.exe
2968	LoaderMas.exe
2504	explorer.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	Umbral.exe
Token: SeDebugPrivilege	2968	LoaderMas.exe
Token: SeIncreaseQuotaPrivilege	2932	wmic.exe
Token: SeSecurityPrivilege	2932	wmic.exe
Token: SeTakeOwnershipPrivilege	2932	wmic.exe
Token: SeLoadDriverPrivilege	2932	wmic.exe
Token: SeSystemProfilePrivilege	2932	wmic.exe
Token: SeSystemtimePrivilege	2932	wmic.exe
Token: SeProfSingleProcessPrivilege	2932	wmic.exe
Token: SeIncBasePriorityPrivilege	2932	wmic.exe
Token: SeCreatePagefilePrivilege	2932	wmic.exe
Token: SeBackupPrivilege	2932	wmic.exe
Token: SeRestorePrivilege	2932	wmic.exe
Token: SeShutdownPrivilege	2932	wmic.exe
Token: SeDebugPrivilege	2932	wmic.exe
Token: SeSystemEnvironmentPrivilege	2932	wmic.exe
Token: SeRemoteShutdownPrivilege	2932	wmic.exe
Token: SeUndockPrivilege	2932	wmic.exe
Token: SeManageVolumePrivilege	2932	wmic.exe
Token: 33	2932	wmic.exe
Token: 34	2932	wmic.exe
Token: 35	2932	wmic.exe
Token: SeIncreaseQuotaPrivilege	2932	wmic.exe
Token: SeSecurityPrivilege	2932	wmic.exe
Token: SeTakeOwnershipPrivilege	2932	wmic.exe
Token: SeLoadDriverPrivilege	2932	wmic.exe
Token: SeSystemProfilePrivilege	2932	wmic.exe
Token: SeSystemtimePrivilege	2932	wmic.exe
Token: SeProfSingleProcessPrivilege	2932	wmic.exe
Token: SeIncBasePriorityPrivilege	2932	wmic.exe
Token: SeCreatePagefilePrivilege	2932	wmic.exe
Token: SeBackupPrivilege	2932	wmic.exe
Token: SeRestorePrivilege	2932	wmic.exe
Token: SeShutdownPrivilege	2932	wmic.exe
Token: SeDebugPrivilege	2932	wmic.exe
Token: SeSystemEnvironmentPrivilege	2932	wmic.exe
Token: SeRemoteShutdownPrivilege	2932	wmic.exe
Token: SeUndockPrivilege	2932	wmic.exe
Token: SeManageVolumePrivilege	2932	wmic.exe
Token: 33	2932	wmic.exe
Token: 34	2932	wmic.exe
Token: 35	2932	wmic.exe
Token: SeDebugPrivilege	2524	Chainprovider.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2968	LoaderMas.exe
Token: SeDebugPrivilege	2504	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2968	LoaderMas.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2640	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 3000 wrote to memory of 2640	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 3000 wrote to memory of 2640	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 3000 wrote to memory of 2584	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 3000 wrote to memory of 2584	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 3000 wrote to memory of 2584	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 3000 wrote to memory of 2584	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 3000 wrote to memory of 2652	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	90
PID 3000 wrote to memory of 2652	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	90
PID 3000 wrote to memory of 2652	3000	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	90
PID 2584 wrote to memory of 2288	2584	t.bat	31
PID 2584 wrote to memory of 2288	2584	t.bat	31
PID 2584 wrote to memory of 2288	2584	t.bat	31
PID 2584 wrote to memory of 2288	2584	t.bat	31
PID 2640 wrote to memory of 2500	2640	Nursultan (17).exe	32
PID 2640 wrote to memory of 2500	2640	Nursultan (17).exe	32
PID 2640 wrote to memory of 2500	2640	Nursultan (17).exe	32
PID 2640 wrote to memory of 2968	2640	Nursultan (17).exe	34
PID 2640 wrote to memory of 2968	2640	Nursultan (17).exe	34
PID 2640 wrote to memory of 2968	2640	Nursultan (17).exe	34
PID 2652 wrote to memory of 2932	2652	Umbral.exe	35
PID 2652 wrote to memory of 2932	2652	Umbral.exe	35
PID 2652 wrote to memory of 2932	2652	Umbral.exe	35
PID 2288 wrote to memory of 2012	2288	WScript.exe	38
PID 2288 wrote to memory of 2012	2288	WScript.exe	38
PID 2288 wrote to memory of 2012	2288	WScript.exe	38
PID 2288 wrote to memory of 2012	2288	WScript.exe	38
PID 2012 wrote to memory of 2524	2012	cmd.exe	40
PID 2012 wrote to memory of 2524	2012	cmd.exe	40
PID 2012 wrote to memory of 2524	2012	cmd.exe	40
PID 2012 wrote to memory of 2524	2012	cmd.exe	40
PID 2524 wrote to memory of 2724	2524	Chainprovider.exe	89
PID 2524 wrote to memory of 2724	2524	Chainprovider.exe	89
PID 2524 wrote to memory of 2724	2524	Chainprovider.exe	89
PID 2724 wrote to memory of 1888	2724	cmd.exe	91
PID 2724 wrote to memory of 1888	2724	cmd.exe	91
PID 2724 wrote to memory of 1888	2724	cmd.exe	91
PID 2968 wrote to memory of 2008	2968	LoaderMas.exe	92
PID 2968 wrote to memory of 2008	2968	LoaderMas.exe	92
PID 2968 wrote to memory of 2008	2968	LoaderMas.exe	92
PID 2968 wrote to memory of 1548	2968	LoaderMas.exe	94
PID 2968 wrote to memory of 1548	2968	LoaderMas.exe	94
PID 2968 wrote to memory of 1548	2968	LoaderMas.exe	94
PID 2968 wrote to memory of 1504	2968	LoaderMas.exe	96
PID 2968 wrote to memory of 1504	2968	LoaderMas.exe	96
PID 2968 wrote to memory of 1504	2968	LoaderMas.exe	96
PID 2968 wrote to memory of 2060	2968	LoaderMas.exe	98
PID 2968 wrote to memory of 2060	2968	LoaderMas.exe	98
PID 2968 wrote to memory of 2060	2968	LoaderMas.exe	98
PID 2724 wrote to memory of 2504	2724	cmd.exe	100
PID 2724 wrote to memory of 2504	2724	cmd.exe	100
PID 2724 wrote to memory of 2504	2724	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Nursultan.exe
    "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2500
- - C:\Users\Admin\AppData\Roaming\LoaderMas.exe
    "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2060
- C:\Users\Admin\AppData\Roaming\t.bat
  "C:\Users\Admin\AppData\Roaming\t.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\perfdhcpSvc\Chainprovider.exe
        
        "C:\perfdhcpSvc\Chainprovider.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tCfASm4EcR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1888
        
        C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe
        
        "C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Nurik\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Nurik\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Nurik\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Chainprovider.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\Nursultan.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\Users\Default\Cookies\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Nurik\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Nurik\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Nurik\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Nurik\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Nurik\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Nurik\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Migration\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Nurik\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Nurik\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Nurik\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1844552083-10517693271624062642936246513-358984214-162227279213917191172133264457"
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tCfASm4EcR.bat

Filesize
226B

MD5
fefb62df5510e283daa8d32f425e7382

SHA1
a52da39d21835bbbfb8a3a5f222db43e7deef2ed

SHA256
bb4913bce12a2398e0f7d64cf34d0d73fe4a511777d53ddb4135160a9accd0fc

SHA512
f77995db81f619b28fa167ea17558771558f36e8cba8bd58aede392aa2799d50f1603c114d916476076c7bec42fc03cc77d3348f3ff9d72f8970ac60f7218c28

Download Submit
C:\Users\Admin\AppData\Roaming\LoaderMas.exe

Filesize
63KB

MD5
a0dbdf3af38ead2237ccb781a098a431

SHA1
1434296af6c5530eb036718e860490e0adc3321a

SHA256
6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

SHA512
dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
600fdd3e49f77ff1eb552b0fa35dd10d

SHA1
2eaf448907b20475acb2069a60d46001dc9425f8

SHA256
286ee7da0ff0fbac9771844519f3b5d31e2017d205ca91541739336ca7f0fd33

SHA512
dffe691111e43ff3be5266dcd89f3b95611d0445f2959f0a3533f1b23bd9050b2bb912fa3b447df7607ad1c19c9180b6c25881cb8743c7d0334b39550baeb670

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

Filesize
18.2MB

MD5
ed965403e795c3b563d67c734472ad93

SHA1
6b8b929239d5ef8f1f546c591c67acaf560de4dc

SHA256
6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

SHA512
bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan.exe

Filesize
17.9MB

MD5
e504e3fc36fe4d6f182c98923979a779

SHA1
3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

SHA256
70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

SHA512
63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
229KB

MD5
f48ef033300ec9fd3c77afff5c20e95f

SHA1
22d6125b980474b3f54937003a765cdd5352f9a8

SHA256
72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

SHA512
847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

Download Submit
C:\Users\Admin\AppData\Roaming\t.bat

Filesize
1.1MB

MD5
d85bd59cf0808fb894f60773e1594a0a

SHA1
84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

SHA256
f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

SHA512
225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

Download Submit
C:\perfdhcpSvc\Chainprovider.exe

Filesize
827KB

MD5
d2ec227ddac047e735393e58e742fd44

SHA1
7aae5c76378f7cfcff8bb983695fa4c2577a20e2

SHA256
0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

SHA512
5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

Download Submit
C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

Filesize
200B

MD5
00b53f3e200522631227cac1a07e0646

SHA1
a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

SHA256
486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

SHA512
22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

Download Submit
C:\perfdhcpSvc\mStUjP0ksX5N.bat

Filesize
34B

MD5
a9330c6da12d90d5d956ae2bbcf017d7

SHA1
7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

SHA256
b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

SHA512
557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

Download Submit
memory/1548-106-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1548-105-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2008-98-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/2008-99-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2500-46-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/2500-44-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/2500-42-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/2500-50-0x0000000140000000-0x0000000142153000-memory.dmp

Filesize
33.3MB

Download
memory/2504-123-0x0000000000D80000-0x0000000000E56000-memory.dmp

Filesize
856KB

Download
memory/2524-56-0x0000000000A30000-0x0000000000B06000-memory.dmp

Filesize
856KB

Download
memory/2640-40-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-12-0x0000000000380000-0x00000000015BA000-memory.dmp

Filesize
18.2MB

Download
memory/2640-28-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-18-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/2968-39-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/3000-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

Filesize
4KB

Download
memory/3000-1-0x0000000001370000-0x0000000002740000-memory.dmp

Filesize
19.8MB

Download