dcrat | 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Size

2.0MB
MD5

43a09f586ae8fe86191c47743b5cf744
SHA1

a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA256

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512

ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104
SSDEEP

49152:+bv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzB:+bv4/BUVb5JLChiAu1evAoB

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	5068	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4420 powershell.exe
4676 powershell.exe
4488 powershell.exe
3192 powershell.exe
3500 powershell.exe
2368 powershell.exe

pid	process
4420	powershell.exe
4676	powershell.exe
4488	powershell.exe
3192	powershell.exe
3500	powershell.exe
2368	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Start Menu\\SearchApp.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Start Menu\\SearchApp.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\""	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ipinfo.io
12 ipinfo.io
14 ipinfo.io
42 ipinfo.io

flow	ioc
43	ipinfo.io
12	ipinfo.io
14	ipinfo.io
42	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP	csc.exe
File created	\??\c:\Windows\System32\kpkopw.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	ioc	process
File created	C:\Program Files\dotnet\StartMenuExperienceHost.exe	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
File created	C:\Program Files\dotnet\55b276f4edf653	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Drops file in Windows directory 5 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	ioc	process
File opened for modification	C:\Windows\ja-JP\dllhost.exe	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
File created	C:\Windows\ja-JP\5940a34987c991	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
File created	C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
File created	C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
File created	C:\Windows\ja-JP\dllhost.exe	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

3532 PING.EXE

pid	process
3532	PING.EXE

Modifies registry class 1 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3532 PING.EXE

pid	process
3532	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3260	schtasks.exe
1736	schtasks.exe
912	schtasks.exe
956	schtasks.exe
3656	schtasks.exe
3952	schtasks.exe
1640	schtasks.exe
3040	schtasks.exe
3320	schtasks.exe
4456	schtasks.exe
1596	schtasks.exe
1544	schtasks.exe
2768	schtasks.exe
1696	schtasks.exe
2696	schtasks.exe
1404	schtasks.exe
4696	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

pid	process
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

pid process

1324 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

pid	process
1324	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

description	pid	process
Token: SeDebugPrivilege	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	1324	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.execsc.execmd.exe

description	pid	process	target process
PID 2160 wrote to memory of 3588	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	csc.exe
PID 2160 wrote to memory of 3588	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	csc.exe
PID 3588 wrote to memory of 4704	3588	csc.exe	cvtres.exe
PID 3588 wrote to memory of 4704	3588	csc.exe	cvtres.exe
PID 2160 wrote to memory of 4676	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 4676	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 4420	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 4420	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 2368	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 2368	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 3500	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 3500	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 3192	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 3192	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 4488	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 4488	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	powershell.exe
PID 2160 wrote to memory of 4472	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	cmd.exe
PID 2160 wrote to memory of 4472	2160	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe	cmd.exe
PID 4472 wrote to memory of 3528	4472	cmd.exe	chcp.com
PID 4472 wrote to memory of 3528	4472	cmd.exe	chcp.com
PID 4472 wrote to memory of 3532	4472	cmd.exe	PING.EXE
PID 4472 wrote to memory of 3532	4472	cmd.exe	PING.EXE
PID 4472 wrote to memory of 1324	4472	cmd.exe	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
PID 4472 wrote to memory of 1324	4472	cmd.exe	6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2F7.tmp" "c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP"
    3⤵
    PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u3YNNGkAjA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3528
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3532
- - C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
    "C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe.log

Filesize
2KB

MD5
fb439153f3774b1c4f02ec154d525829

SHA1
83f284b217d57ea407a4c9fa90133b8b11c173a7

SHA256
640fc9ffd4a6afecff4f61ac9484f4722fa7fb9ed4f1b9aa36d1f28c9e227b33

SHA512
f0cc8a5e88ddb034cd9ab37997f8cd1ea32460d04dc636b0a9f16d5dede430ad1a8e929b0e3dc4224dcab838b7f02423790ad004f48a9abf46c8098663ae2bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2F7.tmp

Filesize
1KB

MD5
87359ce8075b74a9bcc2501292cea4a7

SHA1
0c25b2667a9cbdbb99faeeab3efc8d16977683e6

SHA256
e98c23b975a07994713a02d576bcc5819c2da328a72a4ff066cf3c4549039aa6

SHA512
6deeb43b216b7c15911467c82015da248ea84a9f026d545dfeac392fee33807381c796b41441c7cf5506ddd8197f5ce675c832641ece99c0ad004a68426a4e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvdox1ec.0f3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3YNNGkAjA.bat

Filesize
230B

MD5
c9abed4566092e2451550229ebcee6ee

SHA1
9d0eb3a3e9d14ac00b61977e8bb349d349287e42

SHA256
e78a471156d5ba77ae6c6ab7ddec6559498faf13529944ed2a4a0eeaebb922cb

SHA512
057ed11bcec6975d379480709accd25ab018d9a89dd2ec3cac760e9cf6b121e36c813b85dcbd73fcfec1b2fbba43a49529a6ddf12676e491dc238c0b9a06c01f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\SearchApp.exe

Filesize
2.0MB

MD5
43a09f586ae8fe86191c47743b5cf744

SHA1
a8bc2177c871d0d29e93737a7ebcaa3da8f182de

SHA256
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58

SHA512
ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.0.cs

Filesize
373B

MD5
445a41ef5082677d2b7e186c24217d80

SHA1
b6ca840e3dc7a9235344373fd6befbc63721c794

SHA256
fcde1ac0dfd752633140e9b13ad2d2163db08bc0d8fca64d09b90f1f79d69bf2

SHA512
abf1ce07ce8b85c289562c8da640f0d74e8245de3d039cc445c4be5d0f61465405d180d0d86cf4a858361a5b9d433cb69b33a6457b5beefd537d87d33d9d829e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.cmdline

Filesize
235B

MD5
a295506adce945cfb12e88deed336254

SHA1
91d86e1a0d5f09bff53628f7a409578384191fa8

SHA256
69e49d732802080f3d560e03ccd43e8c7959ab56d810062693d370d98ba64271

SHA512
e11ccec6adb4f7be172561e3fe1b044b3abd257c8d640859dd14f530caa8c739bc956d13f1a98892c221d4d361bd9c63bf409567ede1ae1bccc31927c2f9b518

Download Submit
\??\c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP

Filesize
1KB

MD5
7bbfaf1199741b237d2493615c95c6d7

SHA1
86d466217c4dc1e0808f83ceda8f4b4df948b5dc

SHA256
e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

SHA512
2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

Download Submit
memory/2160-28-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-13-0x000000001B120000-0x000000001B138000-memory.dmp

Filesize
96KB

Download
memory/2160-18-0x000000001BC70000-0x000000001C198000-memory.dmp

Filesize
5.2MB

Download
memory/2160-20-0x00000000027F0000-0x00000000027FE000-memory.dmp

Filesize
56KB

Download
memory/2160-25-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/2160-27-0x000000001B270000-0x000000001B27C000-memory.dmp

Filesize
48KB

Download
memory/2160-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

Filesize
8KB

Download
memory/2160-23-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-22-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/2160-16-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-43-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-9-0x0000000002810000-0x000000000282C000-memory.dmp

Filesize
112KB

Download
memory/2160-11-0x000000001B6F0000-0x000000001B740000-memory.dmp

Filesize
320KB

Download
memory/2160-17-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-15-0x000000001B250000-0x000000001B262000-memory.dmp

Filesize
72KB

Download
memory/2160-53-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-54-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-60-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-1-0x00000000003C0000-0x00000000005C4000-memory.dmp

Filesize
2.0MB

Download
memory/2160-10-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-7-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-6-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/2160-4-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-3-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/2160-2-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/4420-70-0x0000027DF8950000-0x0000027DF8972000-memory.dmp

Filesize
136KB

Download