dcrat | a61ecbd90edbc5cc26ed5bc4ab6064ed7ae966cbf517674458d1823746df2bfd

Analysis

max time kernel
147s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
Size

19.8MB
MD5

3969991942bb5b6130977411ae258ab8
SHA1

c391e670488d73dc79c2acfab1e845d9c3e5227e
SHA256

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28
SHA512

ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a
SSDEEP

393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score

10^/10

dcrat umbral xworm execution infostealer rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2548-17-0x0000000000240000-0x0000000000280000-memory.dmp	family_umbral
behavioral1/files/0x0009000000015264-16.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d41-37.dat	family_xworm
behavioral1/memory/2412-39-0x0000000001270000-0x0000000001286000-memory.dmp	family_xworm

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	964	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	964	schtasks.exe	38

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000014fe1-13.dat	dcrat
behavioral1/memory/1512-47-0x0000000001390000-0x0000000001466000-memory.dmp	dcrat
behavioral1/files/0x0007000000015a2d-46.dat	dcrat
behavioral1/memory/2696-127-0x0000000000040000-0x0000000000116000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2108	powershell.exe
2804	powershell.exe
848	powershell.exe
940	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe

Executes dropped EXE 7 IoCs

pid	Process
2116	Nursultan (17).exe
2212	t.bat
2548	Umbral.exe
2392	Nursultan.exe
2412	LoaderMas.exe
1512	Chainprovider.exe
2696	wininit.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	Nursultan (17).exe
520	cmd.exe
520	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\pt-BR\sppsvc.exe	Chainprovider.exe
File created	C:\Windows\System32\pt-BR\0a1fd5f707cd16	Chainprovider.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\en-US\088424020bedd6	Chainprovider.exe
File created	C:\Program Files\Common Files\winlogon.exe	Chainprovider.exe
File created	C:\Program Files\Common Files\cc11b995f2a76d	Chainprovider.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe	Chainprovider.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ebf1f9fa8afd6d	Chainprovider.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe	Chainprovider.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\79ee6d3de8e076	Chainprovider.exe
File created	C:\Program Files\DVD Maker\en-US\conhost.exe	Chainprovider.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\en-US\8aadbff539e144	Chainprovider.exe
File created	C:\Windows\Help\Windows\it-IT\smss.exe	Chainprovider.exe
File created	C:\Windows\Branding\ShellBrd\101b941d020240	Chainprovider.exe
File created	C:\Windows\Help\Corporate\9fb6bed11c7a6f	Chainprovider.exe
File created	C:\Windows\Performance\56085415360792	Chainprovider.exe
File created	C:\Windows\Panther\actionqueue\taskhost.exe	Chainprovider.exe
File created	C:\Windows\Globalization\Sorting\0a1fd5f707cd16	Chainprovider.exe
File created	C:\Windows\Help\Windows\it-IT\69ddcba757bf72	Chainprovider.exe
File created	C:\Windows\es-ES\6cb0b6c459d5d3	Chainprovider.exe
File created	C:\Windows\Performance\wininit.exe	Chainprovider.exe
File created	C:\Windows\Panther\actionqueue\b75386f1303e64	Chainprovider.exe
File created	C:\Windows\en-US\Nursultan.exe	Chainprovider.exe
File created	C:\Windows\Branding\ShellBrd\lsm.exe	Chainprovider.exe
File created	C:\Windows\Help\Corporate\LoaderMas.exe	Chainprovider.exe
File created	C:\Windows\es-ES\dwm.exe	Chainprovider.exe
File created	C:\Windows\Globalization\Sorting\sppsvc.exe	Chainprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1640	schtasks.exe
2324	schtasks.exe
2824	schtasks.exe
2200	schtasks.exe
952	schtasks.exe
1484	schtasks.exe
2116	schtasks.exe
1744	schtasks.exe
1988	schtasks.exe
1528	schtasks.exe
1060	schtasks.exe
1976	schtasks.exe
2268	schtasks.exe
2952	schtasks.exe
1752	schtasks.exe
2724	schtasks.exe
2132	schtasks.exe
2764	schtasks.exe
2544	schtasks.exe
2556	schtasks.exe
2736	schtasks.exe
2700	schtasks.exe
664	schtasks.exe
1624	schtasks.exe
2372	schtasks.exe
1608	schtasks.exe
2100	schtasks.exe
592	schtasks.exe
1368	schtasks.exe
1728	schtasks.exe
2484	schtasks.exe
1840	schtasks.exe
812	schtasks.exe
2780	schtasks.exe
1708	schtasks.exe
792	schtasks.exe
684	schtasks.exe
1200	schtasks.exe
1996	schtasks.exe
2772	schtasks.exe
2860	schtasks.exe
2156	schtasks.exe
2624	schtasks.exe
568	schtasks.exe
1048	schtasks.exe
2928	schtasks.exe
2448	schtasks.exe
1724	schtasks.exe
1160	schtasks.exe
1424	schtasks.exe
1036	schtasks.exe
2680	schtasks.exe
1380	schtasks.exe
2128	schtasks.exe
1340	schtasks.exe
3024	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1512	Chainprovider.exe
2392	Nursultan.exe
2108	powershell.exe
2804	powershell.exe
848	powershell.exe
940	powershell.exe
2696	wininit.exe
2412	LoaderMas.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	Umbral.exe
Token: SeDebugPrivilege	2412	LoaderMas.exe
Token: SeDebugPrivilege	1512	Chainprovider.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2696	wininit.exe
Token: SeDebugPrivilege	2412	LoaderMas.exe
Token: SeIncreaseQuotaPrivilege	2028	wmic.exe
Token: SeSecurityPrivilege	2028	wmic.exe
Token: SeTakeOwnershipPrivilege	2028	wmic.exe
Token: SeLoadDriverPrivilege	2028	wmic.exe
Token: SeSystemProfilePrivilege	2028	wmic.exe
Token: SeSystemtimePrivilege	2028	wmic.exe
Token: SeProfSingleProcessPrivilege	2028	wmic.exe
Token: SeIncBasePriorityPrivilege	2028	wmic.exe
Token: SeCreatePagefilePrivilege	2028	wmic.exe
Token: SeBackupPrivilege	2028	wmic.exe
Token: SeRestorePrivilege	2028	wmic.exe
Token: SeShutdownPrivilege	2028	wmic.exe
Token: SeDebugPrivilege	2028	wmic.exe
Token: SeSystemEnvironmentPrivilege	2028	wmic.exe
Token: SeRemoteShutdownPrivilege	2028	wmic.exe
Token: SeUndockPrivilege	2028	wmic.exe
Token: SeManageVolumePrivilege	2028	wmic.exe
Token: 33	2028	wmic.exe
Token: 34	2028	wmic.exe
Token: 35	2028	wmic.exe
Token: SeIncreaseQuotaPrivilege	2028	wmic.exe
Token: SeSecurityPrivilege	2028	wmic.exe
Token: SeTakeOwnershipPrivilege	2028	wmic.exe
Token: SeLoadDriverPrivilege	2028	wmic.exe
Token: SeSystemProfilePrivilege	2028	wmic.exe
Token: SeSystemtimePrivilege	2028	wmic.exe
Token: SeProfSingleProcessPrivilege	2028	wmic.exe
Token: SeIncBasePriorityPrivilege	2028	wmic.exe
Token: SeCreatePagefilePrivilege	2028	wmic.exe
Token: SeBackupPrivilege	2028	wmic.exe
Token: SeRestorePrivilege	2028	wmic.exe
Token: SeShutdownPrivilege	2028	wmic.exe
Token: SeDebugPrivilege	2028	wmic.exe
Token: SeSystemEnvironmentPrivilege	2028	wmic.exe
Token: SeRemoteShutdownPrivilege	2028	wmic.exe
Token: SeUndockPrivilege	2028	wmic.exe
Token: SeManageVolumePrivilege	2028	wmic.exe
Token: 33	2028	wmic.exe
Token: 34	2028	wmic.exe
Token: 35	2028	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	LoaderMas.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2116	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	83
PID 1300 wrote to memory of 2116	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	83
PID 1300 wrote to memory of 2116	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	83
PID 1300 wrote to memory of 2212	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 1300 wrote to memory of 2212	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 1300 wrote to memory of 2212	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 1300 wrote to memory of 2212	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 1300 wrote to memory of 2548	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 1300 wrote to memory of 2548	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 1300 wrote to memory of 2548	1300	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2212 wrote to memory of 2496	2212	t.bat	31
PID 2212 wrote to memory of 2496	2212	t.bat	31
PID 2212 wrote to memory of 2496	2212	t.bat	31
PID 2212 wrote to memory of 2496	2212	t.bat	31
PID 2116 wrote to memory of 2392	2116	Nursultan (17).exe	32
PID 2116 wrote to memory of 2392	2116	Nursultan (17).exe	32
PID 2116 wrote to memory of 2392	2116	Nursultan (17).exe	32
PID 2116 wrote to memory of 2412	2116	Nursultan (17).exe	34
PID 2116 wrote to memory of 2412	2116	Nursultan (17).exe	34
PID 2116 wrote to memory of 2412	2116	Nursultan (17).exe	34
PID 2496 wrote to memory of 520	2496	WScript.exe	35
PID 2496 wrote to memory of 520	2496	WScript.exe	35
PID 2496 wrote to memory of 520	2496	WScript.exe	35
PID 2496 wrote to memory of 520	2496	WScript.exe	35
PID 520 wrote to memory of 1512	520	cmd.exe	37
PID 520 wrote to memory of 1512	520	cmd.exe	37
PID 520 wrote to memory of 1512	520	cmd.exe	37
PID 520 wrote to memory of 1512	520	cmd.exe	37
PID 1512 wrote to memory of 1380	1512	Chainprovider.exe	96
PID 1512 wrote to memory of 1380	1512	Chainprovider.exe	96
PID 1512 wrote to memory of 1380	1512	Chainprovider.exe	96
PID 1380 wrote to memory of 1472	1380	cmd.exe	98
PID 1380 wrote to memory of 1472	1380	cmd.exe	98
PID 1380 wrote to memory of 1472	1380	cmd.exe	98
PID 2412 wrote to memory of 2108	2412	LoaderMas.exe	99
PID 2412 wrote to memory of 2108	2412	LoaderMas.exe	99
PID 2412 wrote to memory of 2108	2412	LoaderMas.exe	99
PID 2412 wrote to memory of 2804	2412	LoaderMas.exe	101
PID 2412 wrote to memory of 2804	2412	LoaderMas.exe	101
PID 2412 wrote to memory of 2804	2412	LoaderMas.exe	101
PID 2412 wrote to memory of 848	2412	LoaderMas.exe	103
PID 2412 wrote to memory of 848	2412	LoaderMas.exe	103
PID 2412 wrote to memory of 848	2412	LoaderMas.exe	103
PID 2412 wrote to memory of 940	2412	LoaderMas.exe	106
PID 2412 wrote to memory of 940	2412	LoaderMas.exe	106
PID 2412 wrote to memory of 940	2412	LoaderMas.exe	106
PID 1380 wrote to memory of 2696	1380	cmd.exe	108
PID 1380 wrote to memory of 2696	1380	cmd.exe	108
PID 1380 wrote to memory of 2696	1380	cmd.exe	108
PID 2548 wrote to memory of 2028	2548	Umbral.exe	110
PID 2548 wrote to memory of 2028	2548	Umbral.exe	110
PID 2548 wrote to memory of 2028	2548	Umbral.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Nursultan.exe
    "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- - C:\Users\Admin\AppData\Roaming\LoaderMas.exe
    "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
- C:\Users\Admin\AppData\Roaming\t.bat
  "C:\Users\Admin\AppData\Roaming\t.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\perfdhcpSvc\Chainprovider.exe
        
        "C:\perfdhcpSvc\Chainprovider.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XMHatfN2ms.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1472
        
        C:\Windows\Performance\wininit.exe
        
        "C:\Windows\Performance\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMas" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\perfdhcpSvc\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\perfdhcpSvc\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\perfdhcpSvc\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Chainprovider.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Users\Default User\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Corporate\LoaderMas.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMas" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\LoaderMas.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Corporate\LoaderMas.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Performance\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\actionqueue\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Sorting\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 5 /tr "'C:\Nurik\Chainprovider.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Nurik\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 12 /tr "'C:\Nurik\Chainprovider.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Nurik\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Nurik\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Nurik\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\Nursultan.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\Windows\en-US\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Windows\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Windows\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\pt-BR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\pt-BR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\pt-BR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XMHatfN2ms.bat

Filesize
199B

MD5
eecbfbd86abc36a779d1bddf6b1d7d6b

SHA1
3692b9863b3336b9f07f6c29c8a3fb27083706bd

SHA256
8fcc2d6ef2c2ee719faed94726a9024a6f959c6de8e0203f21fd4d433d8dfe7f

SHA512
f1763e3a01023daca1389addbc484567bb9dadf9e22bc35e8aa87d53ebb5c542aa9adeae5e059b59f116bb0ff870af971c1279cb3ffcb79c86099790e16d100e

Download Submit
C:\Users\Admin\AppData\Roaming\LoaderMas.exe

Filesize
63KB

MD5
a0dbdf3af38ead2237ccb781a098a431

SHA1
1434296af6c5530eb036718e860490e0adc3321a

SHA256
6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

SHA512
dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ef30f465b541b6ebc742d7e21acec95

SHA1
5f9b92013d48270c52e8a026fe0722ed1b92db98

SHA256
b8e72811635068281559ef3cf58e68551a275fc09d8de0dd6021f8dc949e3d2b

SHA512
13efb453c7c6f988d3feb6b0188a136218e773a04a1ebf07ed9f5877b02ec62efdb7b6be8be40800fcec01c570016fd67cac7d5b5a9cc5f321a7102175066028

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

Filesize
18.2MB

MD5
ed965403e795c3b563d67c734472ad93

SHA1
6b8b929239d5ef8f1f546c591c67acaf560de4dc

SHA256
6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

SHA512
bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan.exe

Filesize
17.9MB

MD5
e504e3fc36fe4d6f182c98923979a779

SHA1
3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

SHA256
70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

SHA512
63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
229KB

MD5
f48ef033300ec9fd3c77afff5c20e95f

SHA1
22d6125b980474b3f54937003a765cdd5352f9a8

SHA256
72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

SHA512
847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

Download Submit
C:\Users\Admin\AppData\Roaming\t.bat

Filesize
1.1MB

MD5
d85bd59cf0808fb894f60773e1594a0a

SHA1
84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

SHA256
f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

SHA512
225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

Download Submit
C:\perfdhcpSvc\Chainprovider.exe

Filesize
827KB

MD5
d2ec227ddac047e735393e58e742fd44

SHA1
7aae5c76378f7cfcff8bb983695fa4c2577a20e2

SHA256
0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

SHA512
5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

Download Submit
C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

Filesize
200B

MD5
00b53f3e200522631227cac1a07e0646

SHA1
a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

SHA256
486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

SHA512
22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

Download Submit
C:\perfdhcpSvc\mStUjP0ksX5N.bat

Filesize
34B

MD5
a9330c6da12d90d5d956ae2bbcf017d7

SHA1
7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

SHA256
b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

SHA512
557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

Download Submit
memory/848-119-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1300-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/1300-1-0x0000000000100000-0x00000000014D0000-memory.dmp

Filesize
19.8MB

Download
memory/1512-47-0x0000000001390000-0x0000000001466000-memory.dmp

Filesize
856KB

Download
memory/2108-104-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2108-105-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2116-19-0x0000000000210000-0x000000000144A000-memory.dmp

Filesize
18.2MB

Download
memory/2116-28-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-40-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-52-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

Filesize
8KB

Download
memory/2392-58-0x0000000140000000-0x0000000142153000-memory.dmp

Filesize
33.3MB

Download
memory/2392-54-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

Filesize
8KB

Download
memory/2392-56-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

Filesize
8KB

Download
memory/2412-39-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/2548-17-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2696-127-0x0000000000040000-0x0000000000116000-memory.dmp

Filesize
856KB

Download
memory/2804-111-0x000000001B110000-0x000000001B3F2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-112-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download