dcrat | d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020be

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
Size

1.5MB
MD5

f98b8d957e56a925bdfe1a9ed6182860
SHA1

c30bd13e13837e96f0affe38dc3603d978c20d91
SHA256

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020be
SHA512

7766fe75347bca80d4754f1e7eebdafb134de91491e94f951b5a22ae27a62d7015f5c6c326aeb6ab65cd8f176e4f8ba355f11751b4685c5c1d60765526ed6111
SSDEEP

24576:ceaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:ceaj9bHmMbkBHVdGE1Sy/ujhaIh+1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2900	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2900	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2700-1-0x0000000000030000-0x00000000001BE000-memory.dmp	dcrat
behavioral1/files/0x000500000001925b-26.dat	dcrat
behavioral1/files/0x000900000001925b-150.dat	dcrat
behavioral1/files/0x000700000001941b-161.dat	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid	Process
2512	Idle.exe

Drops file in Program Files directory 25 IoCs

Processes:

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX6D4F.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\lsm.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Java\jre7\explorer.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Java\jre7\7a0fd90576e088	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dllhost.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX6665.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX6666.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Common Files\Services\csrss.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Java\jre7\RCX54F8.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX6D4E.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX6462.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\dllhost.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\5940a34987c991	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Internet Explorer\fr-FR\lsm.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Internet Explorer\fr-FR\101b941d020240	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX52F2.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Java\jre7\explorer.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX63F3.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Common Files\Services\csrss.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\886983d96e3d3e	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Common Files\Services\886983d96e3d3e	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX52F3.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Java\jre7\RCX54F7.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Drops file in Windows directory 11 IoCs

Processes:

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\L2Schemas\RCX6B49.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\L2Schemas\RCX6B4A.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\L2Schemas\dllhost.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\diagnostics\scheduled\Idle.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\L2Schemas\dllhost.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\L2Schemas\5940a34987c991	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\f1a758ee18b59c	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX7781.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX7782.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1984	schtasks.exe
1696	schtasks.exe
1980	schtasks.exe
2344	schtasks.exe
3032	schtasks.exe
1004	schtasks.exe
2440	schtasks.exe
2116	schtasks.exe
2604	schtasks.exe
2124	schtasks.exe
2948	schtasks.exe
2072	schtasks.exe
2640	schtasks.exe
1820	schtasks.exe
608	schtasks.exe
2712	schtasks.exe
1632	schtasks.exe
3008	schtasks.exe
2996	schtasks.exe
1084	schtasks.exe
2504	schtasks.exe
2096	schtasks.exe
1852	schtasks.exe
1760	schtasks.exe
2232	schtasks.exe
2884	schtasks.exe
2152	schtasks.exe
1520	schtasks.exe
536	schtasks.exe
980	schtasks.exe
2360	schtasks.exe
1028	schtasks.exe
2348	schtasks.exe
2404	schtasks.exe
2044	schtasks.exe
1792	schtasks.exe
1600	schtasks.exe
2380	schtasks.exe
1264	schtasks.exe
1304	schtasks.exe
2244	schtasks.exe
1612	schtasks.exe
2008	schtasks.exe
2076	schtasks.exe
3036	schtasks.exe
2260	schtasks.exe
2452	schtasks.exe
1840	schtasks.exe
2396	schtasks.exe
2092	schtasks.exe
2980	schtasks.exe
2756	schtasks.exe
2632	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

pid	Process
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

description	pid	Process
Token: SeDebugPrivilege	2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.execmd.exe

description	pid	Process	procid_target
PID 2700 wrote to memory of 1008	2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	85
PID 2700 wrote to memory of 1008	2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	85
PID 2700 wrote to memory of 1008	2700	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	85
PID 1008 wrote to memory of 1952	1008	cmd.exe	87
PID 1008 wrote to memory of 1952	1008	cmd.exe	87
PID 1008 wrote to memory of 1952	1008	cmd.exe	87
PID 1008 wrote to memory of 2512	1008	cmd.exe	88
PID 1008 wrote to memory of 2512	1008	cmd.exe	88
PID 1008 wrote to memory of 2512	1008	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
"C:\Users\Admin\AppData\Local\Temp\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YCRAfa0DyO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1952
- - C:\Windows\Temp\Idle.exe
    "C:\Windows\Temp\Idle.exe"
    3⤵
    - Executes dropped EXE
    PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Temp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beNd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beNd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\bin\dllhost.exe

Filesize
1.5MB

MD5
ebd4263f1186dacbddbf2d5b06f18dc2

SHA1
21ee5bf92752f3441f5e1b171b5fbfbc51a62c43

SHA256
9ec953140895a39178d60ea9a5c940d4394d9a552d821020686147457483de70

SHA512
67f8e00882a170202e71f4a5a9fc3eba942da62fc24c77d85ef7b0ac2ee678d01056181c44196a9866ea65c6251726a88e208f7c939c204a62e4a59dd4642458

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe

Filesize
1.5MB

MD5
05067968d113ea093cecf2a14bf9bdbc

SHA1
7e9d638b7b73d2eea70f0b9de6ca51127283220e

SHA256
17776b9f88ec2bd11873bab8d42c709e9aeb6b2a165e7c2740693232d8c11f7a

SHA512
59bb670601763bfb2062665d4420ceaabfa99a7cde80769917912c7326ef4442fb8479478675e714da4fbf549e6f86f6711e076fbb0f6b2f595508a996637835

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe

Filesize
1.5MB

MD5
f98b8d957e56a925bdfe1a9ed6182860

SHA1
c30bd13e13837e96f0affe38dc3603d978c20d91

SHA256
d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020be

SHA512
7766fe75347bca80d4754f1e7eebdafb134de91491e94f951b5a22ae27a62d7015f5c6c326aeb6ab65cd8f176e4f8ba355f11751b4685c5c1d60765526ed6111

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCRAfa0DyO.bat

Filesize
189B

MD5
ec0d08f8cbdc15c5a77aa79bcf5ee65e

SHA1
277bf643bdb79c022b9c31d5ddda0258304f7d5d

SHA256
eb11d530cc8b4958c83cf22d4089d15df57ebccd1be2e36cc9c96138b97c9898

SHA512
b9342d5dffd728fb77400ed73802aeed294a528512b98fb7f1b02169f0e94122644cb2a979d919959dcc13a9a89861835e2b5be1b682841bfd1e8f3be0502646

Download Submit
memory/2700-7-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2700-16-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/2700-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2700-6-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2700-8-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2700-10-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2700-11-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2700-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2700-14-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2700-13-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2700-15-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2700-5-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2700-19-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-4-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2700-3-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/2700-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-186-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2700-213-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-238-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-258-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-1-0x0000000000030000-0x00000000001BE000-memory.dmp

Filesize
1.6MB

Download