dcrat | 49691df1941f383a519f87b72d504014b93e45bbf5de5fadf2b46e9f7d3a942b

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076d90a3d6aea27339df2f4eec47e392.exe
Size

2.6MB
MD5

076d90a3d6aea27339df2f4eec47e392
SHA1

7647815357cd0c3138a93d814793508d2a112250
SHA256

49691df1941f383a519f87b72d504014b93e45bbf5de5fadf2b46e9f7d3a942b
SHA512

56f26340fae318934ad10dddf7d80f19088e700dd8d1474a04ea8432f47825d603a72114c02a241b8e8af297bba1a0c879daca701137aef0751c967bd02ecb6e
SSDEEP

49152:ubA3jJYqk9Fzi1PwHR0aSyOZv6TpFkKM1dvFo8drtnJrk2HrC:uboy9FzZSlhEg/1dvFNtn62W

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 43 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1928	schtasks.exe
File created	C:\Windows\ja-JP\29c1c3cc0f7685		ntoskrnl.exe
		2468	schtasks.exe
		4036	schtasks.exe
		4596	schtasks.exe
		644	schtasks.exe
		3684	schtasks.exe
		1912	schtasks.exe
		2196	schtasks.exe
		2868	schtasks.exe
		2484	schtasks.exe
		3864	schtasks.exe
		1548	schtasks.exe
		456	schtasks.exe
		4948	schtasks.exe
		5112	schtasks.exe
		3792	schtasks.exe
		3252	schtasks.exe
		3304	schtasks.exe
		1696	schtasks.exe
		1060	schtasks.exe
		2112	schtasks.exe
		4724	schtasks.exe
		1548	schtasks.exe
File created	C:\Windows\PrintDialog\Assets\5b884080fd4f94		ntoskrnl.exe
		884	schtasks.exe
		4748	schtasks.exe
		3784	schtasks.exe
		3008	schtasks.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\27d1bcfc3c54e0		ntoskrnl.exe
		3232	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation		076d90a3d6aea27339df2f4eec47e392.exe
		3704	schtasks.exe
		2596	schtasks.exe
		2164	schtasks.exe
		3492	schtasks.exe
		1184	schtasks.exe
		700	schtasks.exe
		2172	schtasks.exe
		1960	schtasks.exe
		3792	schtasks.exe
		4020	schtasks.exe
		2112	schtasks.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3540	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3540	schtasks.exe	99

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023270-15.dat	dcrat
behavioral2/memory/2072-17-0x0000000000400000-0x0000000000652000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ntoskrnl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ntoskrnl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	076d90a3d6aea27339df2f4eec47e392.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 10 IoCs

pid	Process
2072	ntoskrnl.exe
3872	ntoskrnl.exe
1068	dwm.exe
4568	dwm.exe
4200	dwm.exe
2264	dwm.exe
5016	dwm.exe
1616	dwm.exe
1928	dwm.exe
4480	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
52	pastebin.com
57	pastebin.com
59	pastebin.com
60	pastebin.com
65	pastebin.com
46	pastebin.com
47	pastebin.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe	ntoskrnl.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe	ntoskrnl.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\9e8d7a4ca61bd9	ntoskrnl.exe
File created	C:\Program Files\dotnet\msedge.exe	ntoskrnl.exe
File created	C:\Program Files\dotnet\61a52ddc9dd915	ntoskrnl.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\System.exe	ntoskrnl.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\27d1bcfc3c54e0	ntoskrnl.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\unsecapp.exe	ntoskrnl.exe
File created	C:\Windows\ja-JP\29c1c3cc0f7685	ntoskrnl.exe
File created	C:\Windows\PrintDialog\Assets\fontdrvhost.exe	ntoskrnl.exe
File created	C:\Windows\PrintDialog\Assets\5b884080fd4f94	ntoskrnl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	ntoskrnl.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	076d90a3d6aea27339df2f4eec47e392.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	ntoskrnl.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1184	schtasks.exe
3304	schtasks.exe
3008	schtasks.exe
2868	schtasks.exe
3492	schtasks.exe
884	schtasks.exe
3792	schtasks.exe
4948	schtasks.exe
1696	schtasks.exe
1960	schtasks.exe
2112	schtasks.exe
3684	schtasks.exe
456	schtasks.exe
700	schtasks.exe
2164	schtasks.exe
4020	schtasks.exe
2468	schtasks.exe
4748	schtasks.exe
3864	schtasks.exe
3232	schtasks.exe
1928	schtasks.exe
4036	schtasks.exe
3704	schtasks.exe
1060	schtasks.exe
1912	schtasks.exe
2112	schtasks.exe
3784	schtasks.exe
4724	schtasks.exe
1548	schtasks.exe
5112	schtasks.exe
2196	schtasks.exe
3252	schtasks.exe
2484	schtasks.exe
4596	schtasks.exe
2172	schtasks.exe
1548	schtasks.exe
644	schtasks.exe
2596	schtasks.exe
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
2072	ntoskrnl.exe
3872	ntoskrnl.exe
3872	ntoskrnl.exe
3872	ntoskrnl.exe
3872	ntoskrnl.exe
1068	dwm.exe
1068	dwm.exe
4568	dwm.exe
4568	dwm.exe
4200	dwm.exe
4200	dwm.exe
2264	dwm.exe
2264	dwm.exe
5016	dwm.exe
1616	dwm.exe
1928	dwm.exe
4480	dwm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	ntoskrnl.exe
Token: SeDebugPrivilege	3872	ntoskrnl.exe
Token: SeDebugPrivilege	1068	dwm.exe
Token: SeDebugPrivilege	4568	dwm.exe
Token: SeDebugPrivilege	4200	dwm.exe
Token: SeDebugPrivilege	2264	dwm.exe
Token: SeDebugPrivilege	5016	dwm.exe
Token: SeDebugPrivilege	1616	dwm.exe
Token: SeDebugPrivilege	1928	dwm.exe
Token: SeDebugPrivilege	4480	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2452	3076	076d90a3d6aea27339df2f4eec47e392.exe	91
PID 3076 wrote to memory of 2452	3076	076d90a3d6aea27339df2f4eec47e392.exe	91
PID 3076 wrote to memory of 2452	3076	076d90a3d6aea27339df2f4eec47e392.exe	91
PID 3076 wrote to memory of 3184	3076	076d90a3d6aea27339df2f4eec47e392.exe	92
PID 3076 wrote to memory of 3184	3076	076d90a3d6aea27339df2f4eec47e392.exe	92
PID 3076 wrote to memory of 3184	3076	076d90a3d6aea27339df2f4eec47e392.exe	92
PID 2452 wrote to memory of 4996	2452	WScript.exe	93
PID 2452 wrote to memory of 4996	2452	WScript.exe	93
PID 2452 wrote to memory of 4996	2452	WScript.exe	93
PID 4996 wrote to memory of 2072	4996	cmd.exe	95
PID 4996 wrote to memory of 2072	4996	cmd.exe	95
PID 2072 wrote to memory of 1368	2072	ntoskrnl.exe	121
PID 2072 wrote to memory of 1368	2072	ntoskrnl.exe	121
PID 1368 wrote to memory of 4992	1368	cmd.exe	123
PID 1368 wrote to memory of 4992	1368	cmd.exe	123
PID 1368 wrote to memory of 3872	1368	cmd.exe	129
PID 1368 wrote to memory of 3872	1368	cmd.exe	129
PID 3872 wrote to memory of 644	3872	ntoskrnl.exe	148
PID 3872 wrote to memory of 644	3872	ntoskrnl.exe	148
PID 644 wrote to memory of 1928	644	cmd.exe	150
PID 644 wrote to memory of 1928	644	cmd.exe	150
PID 644 wrote to memory of 1068	644	cmd.exe	151
PID 644 wrote to memory of 1068	644	cmd.exe	151
PID 1068 wrote to memory of 3068	1068	dwm.exe	153
PID 1068 wrote to memory of 3068	1068	dwm.exe	153
PID 3068 wrote to memory of 3352	3068	cmd.exe	155
PID 3068 wrote to memory of 3352	3068	cmd.exe	155
PID 3068 wrote to memory of 4568	3068	cmd.exe	156
PID 3068 wrote to memory of 4568	3068	cmd.exe	156
PID 4568 wrote to memory of 3248	4568	dwm.exe	157
PID 4568 wrote to memory of 3248	4568	dwm.exe	157
PID 3248 wrote to memory of 4028	3248	cmd.exe	159
PID 3248 wrote to memory of 4028	3248	cmd.exe	159
PID 3248 wrote to memory of 4200	3248	cmd.exe	160
PID 3248 wrote to memory of 4200	3248	cmd.exe	160
PID 4200 wrote to memory of 3080	4200	dwm.exe	161
PID 4200 wrote to memory of 3080	4200	dwm.exe	161
PID 3080 wrote to memory of 3732	3080	cmd.exe	163
PID 3080 wrote to memory of 3732	3080	cmd.exe	163
PID 3080 wrote to memory of 2264	3080	cmd.exe	164
PID 3080 wrote to memory of 2264	3080	cmd.exe	164
PID 2264 wrote to memory of 948	2264	dwm.exe	165
PID 2264 wrote to memory of 948	2264	dwm.exe	165
PID 948 wrote to memory of 4436	948	cmd.exe	167
PID 948 wrote to memory of 4436	948	cmd.exe	167
PID 948 wrote to memory of 5016	948	cmd.exe	168
PID 948 wrote to memory of 5016	948	cmd.exe	168
PID 5016 wrote to memory of 4028	5016	dwm.exe	169
PID 5016 wrote to memory of 4028	5016	dwm.exe	169
PID 4028 wrote to memory of 2960	4028	cmd.exe	171
PID 4028 wrote to memory of 2960	4028	cmd.exe	171
PID 4028 wrote to memory of 1616	4028	cmd.exe	172
PID 4028 wrote to memory of 1616	4028	cmd.exe	172
PID 1616 wrote to memory of 3212	1616	dwm.exe	173
PID 1616 wrote to memory of 3212	1616	dwm.exe	173
PID 3212 wrote to memory of 5000	3212	cmd.exe	175
PID 3212 wrote to memory of 5000	3212	cmd.exe	175
PID 3212 wrote to memory of 1928	3212	cmd.exe	176
PID 3212 wrote to memory of 1928	3212	cmd.exe	176
PID 1928 wrote to memory of 440	1928	dwm.exe	177
PID 1928 wrote to memory of 440	1928	dwm.exe	177
PID 440 wrote to memory of 4540	440	cmd.exe	179
PID 440 wrote to memory of 4540	440	cmd.exe	179
PID 440 wrote to memory of 4480	440	cmd.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\076d90a3d6aea27339df2f4eec47e392.exe
"C:\Users\Admin\AppData\Local\Temp\076d90a3d6aea27339df2f4eec47e392.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ntoskrnl\Al42AfNQb.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ntoskrnl\VX19BQ0l7b.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Roaming\ntoskrnl\ntoskrnl.exe
      "C:\Users\Admin\AppData\Roaming\\ntoskrnl\ntoskrnl.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ji1BsB4mir.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Roaming\ntoskrnl\ntoskrnl.exe
        
        "C:\Users\Admin\AppData\Roaming\ntoskrnl\ntoskrnl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Stzzg1zWmy.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1928
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3352
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4028
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3732
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4436
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2960
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5000
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4540
        
        C:\Users\Admin\Documents\dwm.exe
        
        "C:\Users\Admin\Documents\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ntoskrnl\file.vbs"
  2⤵
  PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\Assets\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\Assets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\MsEdgeCrashpad\reports\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MsEdgeCrashpad\reports\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\dotnet\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ntoskrnl.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
197B

MD5
a3b6b0708caa3958ed4e198a686cc28b

SHA1
4050e0dff6e53916e3bce0b43568c453720c3266

SHA256
99763bfb3f38d554d9933560c251971d905d452f7479cb6ef509cc3cccb530da

SHA512
2d3fe685cc275b5fd3515b0976f9a7955932d853595d5c38de3eff4125a4697010a146be37c882d197d231c3eae3014684fd7e99e1b33594f43439f577a801a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stzzg1zWmy.bat

Filesize
197B

MD5
6210744b218a86cd210ef3466774b92a

SHA1
231efaaa69f9160fb3dadc2da1253d7a5fe4f77a

SHA256
00d39422fd0d50068034d34c2e707480315f3186fff86d0f3a9d1fc9ba5bf91a

SHA512
1958f2852ffd25cf8af6df5c9d7501cfd08a356e441bfa7de8805f790726c035fe6e550b6f2c4aee00ff18ef090db7292dd9f193427279d913911a0c8a009fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
197B

MD5
5342146617e2bce7d7e1655aa62851ca

SHA1
a4c16621273a4b4a9393c10842567ae497163ff8

SHA256
2f0c0eb33cbd492b47997991fee89f9ac5e3957f1cda87a315c99fd23d219a3b

SHA512
c77838b65f955adec795ba7aa8aa9ea119800678a5efe45b6e1effb0c680ae2f3b5f19e9ae79f2e43a1fe70b8a5d2e6dbe07021def42f1f12882b528ad59bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

Filesize
197B

MD5
ee88f61fc136f2f059e8221c1769ea53

SHA1
6fa01e9460ee47f537435bb9df9bbcb124bf7362

SHA256
b0fce1e81f75b66954e19b3ba90f34eddf40d8985f2fce50cc4c642839489111

SHA512
025fed94760a64248cd2251c29b10172c295b90016ec6e48d826336996583f0d8859318ea63dbd00deb0395fcd4981262db8ab6fc473e0c016cba4607162a316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ji1BsB4mir.bat

Filesize
217B

MD5
fe895db1f72b63487a4f291226075f19

SHA1
0a09ef89226ebd3860a721df545d3b1049a8ea08

SHA256
f9081b94c2ca981bfc548d002a20c269eb7c5da46e3236495b0452a193843ff0

SHA512
d06f50863aa676be3d0b71ab9b4d68318c3a7a90aa517f3033843ba18c3df195b9d97531e4523a5d9218043ba6abdd19382136e3f5eb4251f5f4108d56dfa696

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
197B

MD5
ec936d79f86c00efbc58fab94cb669e0

SHA1
44089c927f6faba04b6b5f22eb44fd7bfb1fac60

SHA256
00a2f1a263ca598c159b3ae3ab0beb4c70bece6e22d14ff43b0d4aa71acb2793

SHA512
b8224c1e875b1945b28df96a0670498c156e024bee6f5912ec03f32afe84b6621002ade7a6c4c880fe8545dd52c67a14c475895ff6902f3e976d7267198b2a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

Filesize
197B

MD5
7778eb3179e78996709677bb928439fa

SHA1
130c9ec4270ca966228b372a90c232ce7a164a8d

SHA256
df6cab9294c5492a2643633ecece552aa2fbc9120f59e2680a20a1b9a32bd0a0

SHA512
7c275ce368a9943fc45b9f4ebaf28f00e91dec6b5b1b3af5700f8663cd37ec688cec795267a8852f5a26b3973c504f2ef5c68d0c397824856eca90f1e3133d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
197B

MD5
2b4c0fedd915f6e484e15dda582be50f

SHA1
805f7dc64811cf2253baf3642e5b74bf299cedbf

SHA256
7ff040e2b8ee3b3801a5835bef0c31b24529426735100745b80eb0ac8c859abf

SHA512
508e62b98c4eaa094236e376792a7ee0285b3dd8aa170cb6f59fac148631d24c206092fabbc8615d91481f748607806b449d66cdd14e290beb2028749646f072

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
197B

MD5
7840419a5310bebfae2e14005e45f117

SHA1
77fcd4f645396ddbf3fc3da12175e2bbdeac762b

SHA256
0b54d8d0aed2680ec5310b4c2e5d53a56b67a45a9f707ebe6d701640f93631c0

SHA512
03bd96d785ba005dbf636396fdd9a1a9a834045408c1c5478dd813326b5c154344cce4a6c2903b719fa53a9b2aa4d1b4c105a8a9fe8ba85bbdb5bb92827b129b

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\Al42AfNQb.vbe

Filesize
203B

MD5
ec95986ab8d8cabf6b9d9f4aaa2e3b65

SHA1
90850bba57e9a28ac5b3a23e24847dc1c9718a40

SHA256
40654e35c32851edb432372a5d8c12d97a1d44e93f50e821bf0d1ad84187d2f2

SHA512
20826b954bb2f964207b4dc03baa44f2b62ee6132146e33c300d7c65aa7fe6b143a0312e55091e5178643a8b85e04a76ad5a28ed5cccd4d515db7b60cfa18855

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\VX19BQ0l7b.bat

Filesize
34B

MD5
b6fca7a84b01b35cc0de3b527c25d652

SHA1
6bc3a099d9f1f5795c74c2354fdd08590142265f

SHA256
ba5e3ca6a095f1ba158f8f8113517d4ed541ffe4a99cc291599c83d058f1e2ed

SHA512
48419e18a3bf97204b4a06639f964c24020a44998ef3ef5aa039e64105434f786a3b45638fd2b614ff59cf0ca17099898e2a32114200437005b97232b90b428b

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\ntoskrnl.exe

Filesize
2.3MB

MD5
71b622a322078846cdeb8d6359f076d6

SHA1
8e9efaae5cfa9f1a0fcf55d4005c266143661971

SHA256
66683dfb091e28344b0b9bcafb5ccdeea914892360337f340590520863ed284d

SHA512
a208454faac38dc4acd2ae97c367e50111219f222f2ac149256431389403c4c09b5e5edcb76bd6a6d4e5fd85bd5f0b467e7ecbc70b2de2a53b7448765d4c830b

Download Submit
memory/1068-70-0x0000000002D80000-0x0000000002D92000-memory.dmp

Filesize
72KB

Download
memory/1616-107-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/1928-114-0x0000000002AC0000-0x0000000002AD2000-memory.dmp

Filesize
72KB

Download
memory/2072-22-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download
memory/2072-19-0x00000000029D0000-0x0000000002A20000-memory.dmp

Filesize
320KB

Download
memory/2072-18-0x00000000027D0000-0x00000000027EC000-memory.dmp

Filesize
112KB

Download
memory/2072-20-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/2072-17-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/2072-21-0x000000001B920000-0x000000001B976000-memory.dmp

Filesize
344KB

Download
memory/2072-23-0x000000001BEA0000-0x000000001C3C8000-memory.dmp

Filesize
5.2MB

Download
memory/2072-26-0x0000000002A40000-0x0000000002A48000-memory.dmp

Filesize
32KB

Download
memory/2072-25-0x0000000002A30000-0x0000000002A38000-memory.dmp

Filesize
32KB

Download
memory/2072-24-0x0000000002A20000-0x0000000002A2E000-memory.dmp

Filesize
56KB

Download
memory/3872-49-0x000000001B080000-0x000000001B0D6000-memory.dmp

Filesize
344KB

Download
memory/4200-87-0x00000000030B0000-0x00000000030C2000-memory.dmp

Filesize
72KB

Download
memory/4200-86-0x000000001C1B0000-0x000000001C206000-memory.dmp

Filesize
344KB

Download
memory/4480-121-0x000000001B580000-0x000000001B5D6000-memory.dmp

Filesize
344KB

Download
memory/4480-122-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/4568-79-0x000000001B990000-0x000000001B9E6000-memory.dmp

Filesize
344KB

Download
memory/5016-100-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download