dcrat | 4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

Analysis

max time kernel
136s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamingservices.exe
Size

1.8MB
MD5

7e1cbd229ae163375fc55065690e27b4
SHA1

f1cecafde4f843b03f3defffcac7fd6950b582a6
SHA256

4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559
SHA512

545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882
SSDEEP

24576:7Sgle/EPZ5XpxBeonQxcYHgC+aviVZZmQ5NnL+MIWRbtHU4aClCbs8HF7Kz9jxG:7AsZWHgReoP7nyWtHPaB37S9jx

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2484	schtasks.exe	30

Executes dropped EXE 5 IoCs

pid	Process
2212	spoolsv.exe
1072	spoolsv.exe
2996	spoolsv.exe
2900	spoolsv.exe
2100	spoolsv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\winlogon.exe	gamingservices.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\cc11b995f2a76d	gamingservices.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe	gamingservices.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\cc11b995f2a76d	gamingservices.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\spoolsv.exe	gamingservices.exe
File opened for modification	C:\Windows\Migration\WTR\spoolsv.exe	gamingservices.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	gamingservices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2332	PING.EXE
3036	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2332	PING.EXE
3036	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
528	schtasks.exe
2832	schtasks.exe
2476	schtasks.exe
1568	schtasks.exe
1716	schtasks.exe
2908	schtasks.exe
2416	schtasks.exe
2736	schtasks.exe
1312	schtasks.exe
3012	schtasks.exe
2868	schtasks.exe
2852	schtasks.exe
2812	schtasks.exe
2932	schtasks.exe
2724	schtasks.exe
3036	schtasks.exe
2604	schtasks.exe
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2380	gamingservices.exe
2212	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	gamingservices.exe
Token: SeDebugPrivilege	2212	spoolsv.exe
Token: SeDebugPrivilege	1072	spoolsv.exe
Token: SeDebugPrivilege	2996	spoolsv.exe
Token: SeDebugPrivilege	2900	spoolsv.exe
Token: SeDebugPrivilege	2100	spoolsv.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1652	2380	gamingservices.exe	49
PID 2380 wrote to memory of 1652	2380	gamingservices.exe	49
PID 2380 wrote to memory of 1652	2380	gamingservices.exe	49
PID 1652 wrote to memory of 1288	1652	cmd.exe	51
PID 1652 wrote to memory of 1288	1652	cmd.exe	51
PID 1652 wrote to memory of 1288	1652	cmd.exe	51
PID 1652 wrote to memory of 1324	1652	cmd.exe	52
PID 1652 wrote to memory of 1324	1652	cmd.exe	52
PID 1652 wrote to memory of 1324	1652	cmd.exe	52
PID 1652 wrote to memory of 2212	1652	cmd.exe	53
PID 1652 wrote to memory of 2212	1652	cmd.exe	53
PID 1652 wrote to memory of 2212	1652	cmd.exe	53
PID 2212 wrote to memory of 2188	2212	spoolsv.exe	55
PID 2212 wrote to memory of 2188	2212	spoolsv.exe	55
PID 2212 wrote to memory of 2188	2212	spoolsv.exe	55
PID 2188 wrote to memory of 2988	2188	cmd.exe	57
PID 2188 wrote to memory of 2988	2188	cmd.exe	57
PID 2188 wrote to memory of 2988	2188	cmd.exe	57
PID 2188 wrote to memory of 1356	2188	cmd.exe	58
PID 2188 wrote to memory of 1356	2188	cmd.exe	58
PID 2188 wrote to memory of 1356	2188	cmd.exe	58
PID 2188 wrote to memory of 1072	2188	cmd.exe	59
PID 2188 wrote to memory of 1072	2188	cmd.exe	59
PID 2188 wrote to memory of 1072	2188	cmd.exe	59
PID 1072 wrote to memory of 2552	1072	spoolsv.exe	60
PID 1072 wrote to memory of 2552	1072	spoolsv.exe	60
PID 1072 wrote to memory of 2552	1072	spoolsv.exe	60
PID 2552 wrote to memory of 1536	2552	cmd.exe	62
PID 2552 wrote to memory of 1536	2552	cmd.exe	62
PID 2552 wrote to memory of 1536	2552	cmd.exe	62
PID 2552 wrote to memory of 2104	2552	cmd.exe	63
PID 2552 wrote to memory of 2104	2552	cmd.exe	63
PID 2552 wrote to memory of 2104	2552	cmd.exe	63
PID 2552 wrote to memory of 2996	2552	cmd.exe	64
PID 2552 wrote to memory of 2996	2552	cmd.exe	64
PID 2552 wrote to memory of 2996	2552	cmd.exe	64
PID 2996 wrote to memory of 2796	2996	spoolsv.exe	65
PID 2996 wrote to memory of 2796	2996	spoolsv.exe	65
PID 2996 wrote to memory of 2796	2996	spoolsv.exe	65
PID 2796 wrote to memory of 2768	2796	cmd.exe	67
PID 2796 wrote to memory of 2768	2796	cmd.exe	67
PID 2796 wrote to memory of 2768	2796	cmd.exe	67
PID 2796 wrote to memory of 2332	2796	cmd.exe	68
PID 2796 wrote to memory of 2332	2796	cmd.exe	68
PID 2796 wrote to memory of 2332	2796	cmd.exe	68
PID 2796 wrote to memory of 2900	2796	cmd.exe	69
PID 2796 wrote to memory of 2900	2796	cmd.exe	69
PID 2796 wrote to memory of 2900	2796	cmd.exe	69
PID 2900 wrote to memory of 3020	2900	spoolsv.exe	70
PID 2900 wrote to memory of 3020	2900	spoolsv.exe	70
PID 2900 wrote to memory of 3020	2900	spoolsv.exe	70
PID 3020 wrote to memory of 1924	3020	cmd.exe	72
PID 3020 wrote to memory of 1924	3020	cmd.exe	72
PID 3020 wrote to memory of 1924	3020	cmd.exe	72
PID 3020 wrote to memory of 3036	3020	cmd.exe	73
PID 3020 wrote to memory of 3036	3020	cmd.exe	73
PID 3020 wrote to memory of 3036	3020	cmd.exe	73
PID 3020 wrote to memory of 2100	3020	cmd.exe	74
PID 3020 wrote to memory of 2100	3020	cmd.exe	74
PID 3020 wrote to memory of 2100	3020	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gamingservices.exe
"C:\Users\Admin\AppData\Local\Temp\gamingservices.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKBAxP9LMM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1288
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1324
- - C:\Windows\Migration\WTR\spoolsv.exe
    "C:\Windows\Migration\WTR\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\24XiM7UcCi.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2988
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1356
    - - C:\Windows\Migration\WTR\spoolsv.exe
        
        "C:\Windows\Migration\WTR\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2104
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        "C:\Windows\Migration\WTR\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        "C:\Windows\Migration\WTR\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        "C:\Windows\Migration\WTR\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gamingservices" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24XiM7UcCi.bat

Filesize
212B

MD5
e1d190b192906167e3de180942d5a1ba

SHA1
960e6975e0171d8d04d4bc834379223ee88caea1

SHA256
33b86b0e84191dbe75e03fd5afb4c8ef1f96c948748108c859bc8512ae8d1233

SHA512
d9812dad09a59f149b8cefcb9da109f4142fafe0823ef16651718e6219cae0fdb355af44ba4850259e7d1f35b4f4c55d571c084bc0e1c525adbabe99354552be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat

Filesize
164B

MD5
d5e8deaec12472756513912b4bd1e1e5

SHA1
534f371104c3aa3235e133e88ae49c23547290ee

SHA256
b3323b558c32c2044dde805156394ac4e1e40f0f04fd5840fa65d024580f0c60

SHA512
84cf59f3e2aa32d36d70bf1c1db1d4350e6a345988a7689b9e8c21439c801f428670f5fd5983a2fa3a9d310972900cda400ad381668fe6afc742c216a87082b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat

Filesize
164B

MD5
bb481764094932563aff03263af86efe

SHA1
22da9a6df24976d4f7bc6b17f5499aba159c2090

SHA256
9aab36848575031b28e778cd608207ce5d30342ff55a97cd5e227fbea32b4aea

SHA512
25a36e2b702e819de0c14adca64c7d3f770aae750d0aa2676f8c53c2d475351cb44968d9e567cee7987f27832388336759ce2cc1f2f9fecc02fcaec0d509f63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat

Filesize
212B

MD5
b6aa6ffc956082ccd2ba5ba7830f820b

SHA1
151a0f5aa4c59c5867883e5c120880694ad56f03

SHA256
49832a0f3dddfba4e347ac154755f4e46a7cf6c93a3a8c93b37147728ccc4107

SHA512
dfcb9600f8c8a83c9c4fb60da83d0be3a0df2f786a9865fe156bb81a63ed160b49ad3c018479e8102452cbf1d318111620fc8349247537cae989c5453d333edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKBAxP9LMM.bat

Filesize
212B

MD5
57fa6ac490ab2cce5fb5b21ddb271904

SHA1
2690705db24957e445f01fc115a69fbbe46ed6f4

SHA256
6d95e541478618399ce8555ebbadde6f66395fab427c7fb16c409c43ec4a768d

SHA512
1e973033731b2b95c3e7b76154a4b3c521ba904fe27dbe158ac576adf6d8672668097f13e362ab72b186b99e396120eab36005301fc859f37bbf868a9e256a76

Download Submit
C:\Users\Public\csrss.exe

Filesize
1.8MB

MD5
7e1cbd229ae163375fc55065690e27b4

SHA1
f1cecafde4f843b03f3defffcac7fd6950b582a6

SHA256
4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

SHA512
545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

Download Submit
memory/1072-44-0x0000000001280000-0x0000000001452000-memory.dmp

Filesize
1.8MB

Download
memory/2100-74-0x0000000001010000-0x00000000011E2000-memory.dmp

Filesize
1.8MB

Download
memory/2212-34-0x0000000000E40000-0x0000000001012000-memory.dmp

Filesize
1.8MB

Download
memory/2380-25-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-14-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2380-11-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Filesize
96KB

Download
memory/2380-6-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2380-9-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-4-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-31-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-3-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-12-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-8-0x0000000000B80000-0x0000000000B9C000-memory.dmp

Filesize
112KB

Download
memory/2380-1-0x0000000000BE0000-0x0000000000DB2000-memory.dmp

Filesize
1.8MB

Download
memory/2900-64-0x0000000000120000-0x00000000002F2000-memory.dmp

Filesize
1.8MB

Download