dcrat | b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30

Analysis

max time kernel
87s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Size

1.5MB
MD5

e6606aa0691b886298e05ae11a4167e2
SHA1

39da4c5f82a23ffd68f3151c9e54f0ea5d7bd076
SHA256

b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30
SHA512

12ae8bc3c473a594b42b85ca6dc2e14f6b287fc126f41c3270a9e278213faf2e333830f95210f7d31fe404800a3b80b463079eea4067d504957f6ec5c681580b
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRG:EzhWhCXQFN+0IEuQgyiVKu

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1512	schtasks.exe
		1868	schtasks.exe
		864	schtasks.exe
		2532	schtasks.exe
		3044	schtasks.exe
		2868	schtasks.exe
		2604	schtasks.exe
		1244	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
		2176	schtasks.exe
		2808	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\", \"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\", \"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\", \"C:\\Windows\\System32\\idndl\\lsass.exe\", \"C:\\Windows\\System32\\PushPrinterConnections\\taskhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\", \"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\", \"C:\\Windows\\System32\\idndl\\lsass.exe\", \"C:\\Windows\\System32\\PushPrinterConnections\\taskhost.exe\", \"C:\\Windows\\System32\\PortableDeviceSyncProvider\\dwm.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\", \"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\", \"C:\\Windows\\System32\\idndl\\lsass.exe\", \"C:\\Windows\\System32\\PushPrinterConnections\\taskhost.exe\", \"C:\\Windows\\System32\\PortableDeviceSyncProvider\\dwm.exe\", \"C:\\Windows\\System32\\dbnetlib\\smss.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\", \"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\", \"C:\\Windows\\System32\\idndl\\lsass.exe\", \"C:\\Windows\\System32\\PushPrinterConnections\\taskhost.exe\", \"C:\\Windows\\System32\\PortableDeviceSyncProvider\\dwm.exe\", \"C:\\Windows\\System32\\dbnetlib\\smss.exe\", \"C:\\Windows\\System32\\DfsShlEx\\lsass.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\", \"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\", \"C:\\Windows\\System32\\idndl\\lsass.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\rasapi32\\services.exe\", \"C:\\Windows\\System32\\Magnify\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2732	schtasks.exe	31

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
1628	powershell.exe
2200	powershell.exe
2192	powershell.exe
2120	powershell.exe
2152	powershell.exe
2148	powershell.exe
2356	powershell.exe
2972	powershell.exe
2568	powershell.exe
640	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	services.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\dbnetlib\\smss.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\rasapi32\\services.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows NT\\Accessories\\de-DE\\taskhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\PortableDeviceSyncProvider\\dwm.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\dbnetlib\\smss.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\PortableDeviceSyncProvider\\dwm.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\wmipcima\\WMIADAP.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\PushPrinterConnections\\taskhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\PushPrinterConnections\\taskhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\idndl\\lsass.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\idndl\\lsass.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\DfsShlEx\\lsass.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\DfsShlEx\\lsass.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\rasapi32\\services.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\Magnify\\services.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\Magnify\\services.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\System32\rasapi32\services.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\PortableDeviceSyncProvider\dwm.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\wbem\wmipcima\75a57c1bdf437c	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\dbnetlib\69ddcba757bf72	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\DfsShlEx\lsass.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\wbem\wmipcima\WMIADAP.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\dbnetlib\RCXF541.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\DfsShlEx\lsass.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\rasapi32\RCXE64C.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\Magnify\RCXE84F.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\idndl\RCXEF35.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\PushPrinterConnections\taskhost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\PortableDeviceSyncProvider\RCXF33D.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\idndl\lsass.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\PushPrinterConnections\b75386f1303e64	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\PortableDeviceSyncProvider\6cb0b6c459d5d3	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\Magnify\services.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\wbem\wmipcima\RCXED31.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\idndl\lsass.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\rasapi32\c5b4cb5e9653cc	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\Magnify\c5b4cb5e9653cc	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\wbem\wmipcima\WMIADAP.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\dbnetlib\smss.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\DfsShlEx\6203df4a6bafc7	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\rasapi32\services.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\idndl\6203df4a6bafc7	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\DfsShlEx\RCXF744.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\Magnify\services.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\PushPrinterConnections\taskhost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\PushPrinterConnections\RCXF139.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\PortableDeviceSyncProvider\dwm.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\dbnetlib\smss.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\de-DE\taskhost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\b75386f1303e64	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\RCXEAC0.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\taskhost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
864	schtasks.exe
2532	schtasks.exe
3044	schtasks.exe
1512	schtasks.exe
1244	schtasks.exe
1868	schtasks.exe
2176	schtasks.exe
2604	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2192	powershell.exe
2200	powershell.exe
2148	powershell.exe
2120	powershell.exe
2984	powershell.exe
2356	powershell.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2152	powershell.exe
2972	powershell.exe
1628	powershell.exe
2568	powershell.exe
640	powershell.exe
2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	1212	services.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2200	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	42
PID 2612 wrote to memory of 2200	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	42
PID 2612 wrote to memory of 2200	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	42
PID 2612 wrote to memory of 640	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	43
PID 2612 wrote to memory of 640	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	43
PID 2612 wrote to memory of 640	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	43
PID 2612 wrote to memory of 2192	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	45
PID 2612 wrote to memory of 2192	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	45
PID 2612 wrote to memory of 2192	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	45
PID 2612 wrote to memory of 2120	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	46
PID 2612 wrote to memory of 2120	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	46
PID 2612 wrote to memory of 2120	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	46
PID 2612 wrote to memory of 2152	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	47
PID 2612 wrote to memory of 2152	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	47
PID 2612 wrote to memory of 2152	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	47
PID 2612 wrote to memory of 2148	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	48
PID 2612 wrote to memory of 2148	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	48
PID 2612 wrote to memory of 2148	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	48
PID 2612 wrote to memory of 2356	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	49
PID 2612 wrote to memory of 2356	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	49
PID 2612 wrote to memory of 2356	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	49
PID 2612 wrote to memory of 2972	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	50
PID 2612 wrote to memory of 2972	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	50
PID 2612 wrote to memory of 2972	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	50
PID 2612 wrote to memory of 2568	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	51
PID 2612 wrote to memory of 2568	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	51
PID 2612 wrote to memory of 2568	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	51
PID 2612 wrote to memory of 2984	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	52
PID 2612 wrote to memory of 2984	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	52
PID 2612 wrote to memory of 2984	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	52
PID 2612 wrote to memory of 1628	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	53
PID 2612 wrote to memory of 1628	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	53
PID 2612 wrote to memory of 1628	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	53
PID 2612 wrote to memory of 1212	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	64
PID 2612 wrote to memory of 1212	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	64
PID 2612 wrote to memory of 1212	2612	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	64

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
"C:\Users\Admin\AppData\Local\Temp\b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rasapi32\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Magnify\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\de-DE\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\wmipcima\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\idndl\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PushPrinterConnections\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PortableDeviceSyncProvider\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dbnetlib\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DfsShlEx\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\Magnify\services.exe
  "C:\Windows\System32\Magnify\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\rasapi32\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\Magnify\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wmipcima\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\idndl\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\PushPrinterConnections\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\PortableDeviceSyncProvider\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\dbnetlib\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\DfsShlEx\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
97bc51e84f802e1e03dc22facb049662

SHA1
e686a2ad4782476ccc7471f9a741676a544f918a

SHA256
c9e3783e0ef8a6836c388d2969bd90e00f65064a02a120a550f8dcc0d6e2f660

SHA512
1eee382334fa7c785c050ba973b11f141913a4cc43a82d30f9cde32c3e9d7bbe6bc8b6dff7d555d6768911cdd8a6ea0bd84ca0d2e36f55b74573706bfff4a65b

Download Submit
C:\Windows\System32\Magnify\services.exe

Filesize
1.5MB

MD5
a064af50f9814c510162ec4013eac053

SHA1
78ca05f2bfb7ce038d506c275b5d2c90ebcc6a21

SHA256
cbde6e3f3c8737547521280e3f386a1897f740bf86ca682b363f9ade6124f0bf

SHA512
89bf806975455b2c42d1d668a10356e08ca625e3edcab96559b0c104ade68a61d739f46d78111d6a1027f14435a9ecc0f7719616cb4ec74e228b32cd3373f5be

Download Submit
C:\Windows\System32\wbem\wmipcima\WMIADAP.exe

Filesize
1.5MB

MD5
e6606aa0691b886298e05ae11a4167e2

SHA1
39da4c5f82a23ffd68f3151c9e54f0ea5d7bd076

SHA256
b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30

SHA512
12ae8bc3c473a594b42b85ca6dc2e14f6b287fc126f41c3270a9e278213faf2e333830f95210f7d31fe404800a3b80b463079eea4067d504957f6ec5c681580b

Download Submit
memory/1212-153-0x0000000001200000-0x000000000137E000-memory.dmp

Filesize
1.5MB

Download
memory/2192-122-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2192-123-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2612-14-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2612-17-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2612-6-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2612-9-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2612-10-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/2612-11-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/2612-12-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2612-13-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2612-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2612-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2612-16-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2612-8-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2612-18-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2612-20-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2612-21-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2612-24-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-7-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2612-5-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2612-4-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2612-3-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2612-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-1-0x00000000011B0000-0x000000000132E000-memory.dmp

Filesize
1.5MB

Download
memory/2612-174-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download