dcrat | 26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54eff01605da5e7cbdb382c98ece2c2a.exe
Size

1.9MB
MD5

54eff01605da5e7cbdb382c98ece2c2a
SHA1

be2ecfc24603a5e282bdfbb7780a03c1410879b8
SHA256

26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d
SHA512

dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0
SSDEEP

49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Videos\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\54eff01605da5e7cbdb382c98ece2c2a.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Videos\\System.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Videos\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Videos\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2544	schtasks.exe	30

Executes dropped EXE 12 IoCs

pid	Process
1312	taskhost.exe
300	taskhost.exe
2760	taskhost.exe
1816	taskhost.exe
2184	taskhost.exe
1712	taskhost.exe
816	taskhost.exe
2736	taskhost.exe
2616	taskhost.exe
1724	taskhost.exe
828	taskhost.exe
2344	taskhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\54eff01605da5e7cbdb382c98ece2c2a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\54eff01605da5e7cbdb382c98ece2c2a.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Videos\\System.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Videos\\System.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54eff01605da5e7cbdb382c98ece2c2a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\54eff01605da5e7cbdb382c98ece2c2a.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\taskhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Defender\\WmiPrvSE.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9D4C1F12B44F44EA85C2B4F081235AA3.TMP	csc.exe
File created	\??\c:\Windows\System32\foda5r.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\es-ES\taskhost.exe	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Program Files\Windows Mail\es-ES\b75386f1303e64	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Program Files (x86)\Windows Defender\24dbde2999530e	54eff01605da5e7cbdb382c98ece2c2a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
916	PING.EXE
2124	PING.EXE
3020	PING.EXE
1780	PING.EXE
372	PING.EXE
2800	PING.EXE
2912	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3020	PING.EXE
1780	PING.EXE
372	PING.EXE
2800	PING.EXE
2912	PING.EXE
916	PING.EXE
2124	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1872	schtasks.exe
2844	schtasks.exe
308	schtasks.exe
1704	schtasks.exe
2096	schtasks.exe
2988	schtasks.exe
2288	schtasks.exe
2028	schtasks.exe
2032	schtasks.exe
824	schtasks.exe
2404	schtasks.exe
2672	schtasks.exe
1808	schtasks.exe
1952	schtasks.exe
2616	schtasks.exe
2848	schtasks.exe
584	schtasks.exe
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe
2660	54eff01605da5e7cbdb382c98ece2c2a.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	54eff01605da5e7cbdb382c98ece2c2a.exe
Token: SeDebugPrivilege	1312	taskhost.exe
Token: SeDebugPrivilege	300	taskhost.exe
Token: SeDebugPrivilege	2760	taskhost.exe
Token: SeDebugPrivilege	1816	taskhost.exe
Token: SeDebugPrivilege	2184	taskhost.exe
Token: SeDebugPrivilege	1712	taskhost.exe
Token: SeDebugPrivilege	816	taskhost.exe
Token: SeDebugPrivilege	2736	taskhost.exe
Token: SeDebugPrivilege	2616	taskhost.exe
Token: SeDebugPrivilege	1724	taskhost.exe
Token: SeDebugPrivilege	828	taskhost.exe
Token: SeDebugPrivilege	2344	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1716	2660	54eff01605da5e7cbdb382c98ece2c2a.exe	34
PID 2660 wrote to memory of 1716	2660	54eff01605da5e7cbdb382c98ece2c2a.exe	34
PID 2660 wrote to memory of 1716	2660	54eff01605da5e7cbdb382c98ece2c2a.exe	34
PID 1716 wrote to memory of 2584	1716	csc.exe	36
PID 1716 wrote to memory of 2584	1716	csc.exe	36
PID 1716 wrote to memory of 2584	1716	csc.exe	36
PID 2660 wrote to memory of 2764	2660	54eff01605da5e7cbdb382c98ece2c2a.exe	52
PID 2660 wrote to memory of 2764	2660	54eff01605da5e7cbdb382c98ece2c2a.exe	52
PID 2660 wrote to memory of 2764	2660	54eff01605da5e7cbdb382c98ece2c2a.exe	52
PID 2764 wrote to memory of 2220	2764	cmd.exe	54
PID 2764 wrote to memory of 2220	2764	cmd.exe	54
PID 2764 wrote to memory of 2220	2764	cmd.exe	54
PID 2764 wrote to memory of 1788	2764	cmd.exe	55
PID 2764 wrote to memory of 1788	2764	cmd.exe	55
PID 2764 wrote to memory of 1788	2764	cmd.exe	55
PID 2764 wrote to memory of 1312	2764	cmd.exe	56
PID 2764 wrote to memory of 1312	2764	cmd.exe	56
PID 2764 wrote to memory of 1312	2764	cmd.exe	56
PID 1312 wrote to memory of 1936	1312	taskhost.exe	57
PID 1312 wrote to memory of 1936	1312	taskhost.exe	57
PID 1312 wrote to memory of 1936	1312	taskhost.exe	57
PID 1936 wrote to memory of 1452	1936	cmd.exe	59
PID 1936 wrote to memory of 1452	1936	cmd.exe	59
PID 1936 wrote to memory of 1452	1936	cmd.exe	59
PID 1936 wrote to memory of 372	1936	cmd.exe	60
PID 1936 wrote to memory of 372	1936	cmd.exe	60
PID 1936 wrote to memory of 372	1936	cmd.exe	60
PID 1936 wrote to memory of 300	1936	cmd.exe	61
PID 1936 wrote to memory of 300	1936	cmd.exe	61
PID 1936 wrote to memory of 300	1936	cmd.exe	61
PID 300 wrote to memory of 1596	300	taskhost.exe	62
PID 300 wrote to memory of 1596	300	taskhost.exe	62
PID 300 wrote to memory of 1596	300	taskhost.exe	62
PID 1596 wrote to memory of 2804	1596	cmd.exe	64
PID 1596 wrote to memory of 2804	1596	cmd.exe	64
PID 1596 wrote to memory of 2804	1596	cmd.exe	64
PID 1596 wrote to memory of 2800	1596	cmd.exe	65
PID 1596 wrote to memory of 2800	1596	cmd.exe	65
PID 1596 wrote to memory of 2800	1596	cmd.exe	65
PID 1596 wrote to memory of 2760	1596	cmd.exe	66
PID 1596 wrote to memory of 2760	1596	cmd.exe	66
PID 1596 wrote to memory of 2760	1596	cmd.exe	66
PID 2760 wrote to memory of 1080	2760	taskhost.exe	67
PID 2760 wrote to memory of 1080	2760	taskhost.exe	67
PID 2760 wrote to memory of 1080	2760	taskhost.exe	67
PID 1080 wrote to memory of 2160	1080	cmd.exe	69
PID 1080 wrote to memory of 2160	1080	cmd.exe	69
PID 1080 wrote to memory of 2160	1080	cmd.exe	69
PID 1080 wrote to memory of 2408	1080	cmd.exe	70
PID 1080 wrote to memory of 2408	1080	cmd.exe	70
PID 1080 wrote to memory of 2408	1080	cmd.exe	70
PID 1080 wrote to memory of 1816	1080	cmd.exe	71
PID 1080 wrote to memory of 1816	1080	cmd.exe	71
PID 1080 wrote to memory of 1816	1080	cmd.exe	71
PID 1816 wrote to memory of 2392	1816	taskhost.exe	72
PID 1816 wrote to memory of 2392	1816	taskhost.exe	72
PID 1816 wrote to memory of 2392	1816	taskhost.exe	72
PID 2392 wrote to memory of 2816	2392	cmd.exe	74
PID 2392 wrote to memory of 2816	2392	cmd.exe	74
PID 2392 wrote to memory of 2816	2392	cmd.exe	74
PID 2392 wrote to memory of 2912	2392	cmd.exe	75
PID 2392 wrote to memory of 2912	2392	cmd.exe	75
PID 2392 wrote to memory of 2912	2392	cmd.exe	75
PID 2392 wrote to memory of 2184	2392	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe
"C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xfpduom\3xfpduom.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB37.tmp" "c:\Windows\System32\CSC9D4C1F12B44F44EA85C2B4F081235AA3.TMP"
    3⤵
    PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tJkF1zEPYf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2220
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1788
- - C:\Program Files\Windows Mail\es-ES\taskhost.exe
    "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5qZhUS053y.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1452
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:372
    - - C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2800
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TtX0d4fx4d.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2408
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x6qvRCaXDp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        12⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:916
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZI9TpMxUin.bat"
        14⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        16⤵
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat"
        18⤵
        
        PID:600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat"
        20⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2204
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat"
        22⤵
        
        PID:868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1068
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
        24⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2464
        
        C:\Program Files\Windows Mail\es-ES\taskhost.exe
        
        "C:\Program Files\Windows Mail\es-ES\taskhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54eff01605da5e7cbdb382c98ece2c2a5" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54eff01605da5e7cbdb382c98ece2c2a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54eff01605da5e7cbdb382c98ece2c2a5" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\es-ES\taskhost.exe

Filesize
1.9MB

MD5
54eff01605da5e7cbdb382c98ece2c2a

SHA1
be2ecfc24603a5e282bdfbb7780a03c1410879b8

SHA256
26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

SHA512
dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat

Filesize
224B

MD5
2b090aaada9019672c38d322a1178b8b

SHA1
af23928bc2d6b086b4deb46690fc1847b23c9a7e

SHA256
59332b5e761ec7c15513041e7e109b3afccaee23dfdd01c68fc112b2d3347f78

SHA512
81a3c719ce3f1d557a801da8f6e3ff53af7d133a8a1911c8f789f0dc43255afe0183c7e21b33c9baf664a30d22b4a7588c40a173fddf9fca6c63da252954b772

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qZhUS053y.bat

Filesize
176B

MD5
31f50417ae2319ee70ede803aec1b735

SHA1
81f6ca51501fc1e453ba7f3ccf7c35ba12d57dfb

SHA256
3ef25faab7e08c38678d708cf830f7522c7fbc37cabd52fe76d6239bde9d8db0

SHA512
b21ce59af7a6ff77e7c53d696bfe5c0e18f0042d34bd9e220b257a2ed4390f65f48fc350aab15eb4c0752b583c5ee0ae201efe397876ae3f199ce69f4040314e

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat

Filesize
224B

MD5
4e16dff42ded22f18443ac259b22f9cc

SHA1
8959218a6e4bea6dce6cb3a24373c0d4ae10c382

SHA256
8f018dd5cfd3b6e469787f977d625fbf833ae8799cc7bc38c9b51c7dca5169e3

SHA512
d739e0f5aa815b86399f6561ef42f6b4dc68e58b0eb6817a3b79d8a0137ed3846d51c018323bbb8be5ab868daa260782cc520e7d3fabdd0b3d8f7be58afc0cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB37.tmp

Filesize
1KB

MD5
70fdb3556add5298023a97e27787a49f

SHA1
abbcc5f94d022de727a647706a5d41d6d02922ec

SHA256
cf474131dec292f605a7a1605967b9bc07b2e600df615636853cb786dfca9808

SHA512
92c2d8419da9b8c8f7d29681434d306e7cfdb2199ae94e44d90a7197c041f5687a48a154be52056ad44ff6476b2eec9084472ff4a3ab6c5e19aeecd7a74e2671

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtX0d4fx4d.bat

Filesize
224B

MD5
b451b5f9be78b124e1410a18fbdd8042

SHA1
62fe0ec80f87f17fb2d741305250808c848461ee

SHA256
164e36390a2697c9613a65a118f0c7a56f87730cb1eac29ae091f990d8ada4c7

SHA512
7c4fc4b7d711f9a5c38fc24101ff017fc90f09cfb4646d52e222c42c49bf2fd4ee0009cc70f9cc403353ad06f54dfd5dbfa0c4035978731cc55e96957563dcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZI9TpMxUin.bat

Filesize
176B

MD5
e70371a6d65aa6b367452019d9eeecda

SHA1
6ad2599b545c7b081cbbcec9d54692006c6499bb

SHA256
c9d9d00365d898d69243dc9fcd9a8e6cf38b509019d87c6ce51f96144ce18cb3

SHA512
6a362d96260980335b12a6b1b798a280edd051cd39f5ca556bb1675093829c993da4a81e771c4da939c52083b2395e9e574f5c3ef7c2f4dce7ea1a8db5263ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat

Filesize
224B

MD5
7839696796cd44e21da0827466e9403b

SHA1
84c6e01a4e286f6973c7d59d133fddb779ca3e5e

SHA256
8ee96de50c17ab80d198a0ed79bcc8c4571bbdabc45f165ad3f0e7ed9343b0a3

SHA512
10a084651be1e68f5539bd30c0f22aff19a7eb5ebb7dce90f22fa8c6a67cdd964b3512aea26a4c572d9383ba40b0495604c0b4d2a06470309fc40d04b83c0a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat

Filesize
176B

MD5
55f7c5d35cce048cddfed1b34cf12fa5

SHA1
3817c86cd0af75df07d5c9b18d4403d7e8388be7

SHA256
985af613b3353b03d95fcdf85db2cc860d5891312c08de69c53a389525b2629b

SHA512
a0df4a159ad846b85ee582f85b67d5253cada6debbc1eb693d62514530a9ca0bc046c7206fdf1482a2292afa2f45727cb434b2ea1bb52854fc6fe91138c829dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat

Filesize
176B

MD5
6160473c631b2d855e470039ec93bfeb

SHA1
10b36509d0d82bb20927b82192bc3d61a2dd006f

SHA256
4f59df7087c7c097953e4f51d9495b8defdee43dd5b28a0a54cb53db5e5a8c8f

SHA512
9ef7def21d3237972142f6dedbd8a96e33fccbeed30ed06a4d4e1bbfd767d4c2425cd048f9543c2bb78e63411833c83d09c923ce0258a7f5ac7f1f7980031103

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJkF1zEPYf.bat

Filesize
224B

MD5
262646d67c4290dc2bb7ab053c992b26

SHA1
32e4dfd89a19f7bb04c00f73c4270befd089da4c

SHA256
eace24cc8e85e863552ec65808655ef21b17a05d5290841c59b3f866aa24cbf8

SHA512
09768d08a9d0bee798028f09a7076602d0836e87eec4fdd3e9165174c059e80a49c5711736b7055ddc49be4c091f1e251f4ea46df2cd1f944576f3f57a7024c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
176B

MD5
ee256262eba1133bbcbde2d4d17d153d

SHA1
2ac8a211ff8b3b8663ee49c3ee870ec52345d7b2

SHA256
d5ccd6708b16863e50d39d6004af129d62edce58bd2b99d408e33eba386f73d4

SHA512
beaba92f62a983337e8c75f943c76e0184a835b2676da363eef7d0db4469b1ff080a7ac7566e1f3be356593ea217840f38d8f4a7f62170e0e0d9b0aede7f08ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat

Filesize
176B

MD5
bdc2fc2449b3ec3f9a28e5dd35bbe934

SHA1
ce2c80bf2a9c8df5172a476799d71455bfefaa2b

SHA256
04052d570456df621c16f824fab212ca2f7fd61b29a694ce9b65e7881f474c83

SHA512
583fc59d921572d4a28ed76fd033db2dc0026a33d34303620f5e8eafd5868dadd8e5ac96923abdaa6d910d55f03143d7fc1022f72e75857363acb5d107e730c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x6qvRCaXDp.bat

Filesize
176B

MD5
d957985ad8e40735632a96a4d309195b

SHA1
efb861de34de6fb91d07715862064b95b412e645

SHA256
3371e3a172c70c891617e573f57f69469c664215745d5b8844c54459beadee26

SHA512
cb4820e6e43f464e90e2c4d5a30d31a7cf1804966de7ba07882bb90bad4dde7624167df908f3c81cbd66582010fc6aff8f8ed446d5bb7464af67d9c33a18a81f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xfpduom\3xfpduom.0.cs

Filesize
380B

MD5
3da268879545434089194ec2ac641637

SHA1
40192903c1a60ef1f599962ed143c8a5e6beaec8

SHA256
810547c50fafa384b0c6a400583245144cfbda7267c18b0628ccb2abd8453af0

SHA512
08271e79b9896afe73d07ac8c0443878317e664c1d1e4a60e1d883510f82a7db20acfade3940d73a275c991c6501d44b07edebf6821909a8f5756632bc53d713

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xfpduom\3xfpduom.cmdline

Filesize
235B

MD5
3c54c39a2f0f5c972c1ba8059251c694

SHA1
d6ab09b20283fee4479b7bfdd66a6eade809277e

SHA256
87c784d0fc334dfd4476f0461c0cbaf6b925ea7355eb0c42c289178a2192105a

SHA512
5a429a34ac3c511dea931f2bd2a8c3dfb2d3dcda03bd631b9a1488a3a5c55b44fd5c61de4214fcc9cc0b13788e3b7359bc7b0b62bbf3cebfd25b2817342b6232

Download Submit
\??\c:\Windows\System32\CSC9D4C1F12B44F44EA85C2B4F081235AA3.TMP

Filesize
1KB

MD5
02b6f6024c0f35b2dfb735e30d40ea59

SHA1
9e28d1d16523aab5845e09fdecf27759375f9b5a

SHA256
17491f9c7a135563b4c9dd20e2113e934070166146005e0f97ab301f4a5ef4aa

SHA512
a8a734f3d0f4d6a8904a8faa5638db91e9034c55306f153fdf321731cdfaaa58847d731ee64b226df0bd6cd4b8e6ed6d2ed1af77f510e079755f7159af433672

Download Submit
memory/1312-56-0x0000000001330000-0x0000000001524000-memory.dmp

Filesize
2.0MB

Download
memory/2660-20-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-3-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-19-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download
memory/2660-15-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-12-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/2660-53-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-23-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-24-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-1-0x0000000000CE0000-0x0000000000ED4000-memory.dmp

Filesize
2.0MB

Download
memory/2660-17-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2660-14-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2660-8-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-7-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-6-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2660-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

Filesize
4KB

Download
memory/2660-22-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2660-4-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-10-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2660-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-148-0x0000000001390000-0x0000000001584000-memory.dmp

Filesize
2.0MB

Download