dcrat | 58040788269169456e7831099188a99796227cac63cc28771496d9f97204b895

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCobxod.exe
Size

35.2MB
MD5

bc4a8996f18f14f3c77fff13fd23b00d
SHA1

431779aa67e97a32824956d9f3c9122a8340486b
SHA256

58040788269169456e7831099188a99796227cac63cc28771496d9f97204b895
SHA512

1e7e873f4af45963ffd59973bd1d76fbe5bf3841414788ade05aab69f11aae66c5fa3da082a43183a094fb12f5f94e35190e01c9ac224888f557f659a453471c
SSDEEP

98304:yrdqTz4+mudOlbI9tp2159NiHZOGDjuXnU:0dqvYwO23mwY8

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WMIADAP.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\Windows\\es-ES\\OSPPSVC.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\Windows\\es-ES\\OSPPSVC.exe\", \"C:\\Users\\Default User\\dwm.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\Windows\\es-ES\\OSPPSVC.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Browserhost\\intoHostperf.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\""	intoHostperf.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1224	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1224	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2312	powershell.exe
2604	powershell.exe
1148	powershell.exe
900	powershell.exe
988	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1480	intoHostperf.exe
2952	smss.exe
2948	smss.exe
316	smss.exe
2264	smss.exe
2568	smss.exe
2240	smss.exe
1628	smss.exe
2744	smss.exe
1444	smss.exe
2472	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	cmd.exe
2200	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\es-ES\\OSPPSVC.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\intoHostperf = "\"C:\\Browserhost\\intoHostperf.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intoHostperf = "\"C:\\Browserhost\\intoHostperf.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WMIADAP.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WMIADAP.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\es-ES\\OSPPSVC.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	intoHostperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Java\\jre7\\bin\\conhost.exe\""	intoHostperf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4A04F327CA9F4A7CAEC62C5CE0CEA191.TMP	csc.exe
File created	\??\c:\Windows\System32\foda5r.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\088424020bedd6	intoHostperf.exe
File created	C:\Program Files\Java\jre7\bin\conhost.exe	intoHostperf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\OSPPSVC.exe	intoHostperf.exe
File created	C:\Windows\es-ES\1610b97d3ab4a7	intoHostperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCobxod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2872	PING.EXE
2984	PING.EXE
2504	PING.EXE
1952	PING.EXE
2992	PING.EXE
2024	PING.EXE
1068	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2504	PING.EXE
1952	PING.EXE
2992	PING.EXE
2024	PING.EXE
1068	PING.EXE
2872	PING.EXE
2984	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
1684	schtasks.exe
1276	schtasks.exe
2852	schtasks.exe
2804	schtasks.exe
1440	schtasks.exe
2148	schtasks.exe
2128	schtasks.exe
1820	schtasks.exe
1580	schtasks.exe
3060	schtasks.exe
2180	schtasks.exe
2020	schtasks.exe
2100	schtasks.exe
2156	schtasks.exe
2008	schtasks.exe
2824	schtasks.exe
236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe
1480	intoHostperf.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	intoHostperf.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2952	smss.exe
Token: SeDebugPrivilege	2948	smss.exe
Token: SeDebugPrivilege	316	smss.exe
Token: SeDebugPrivilege	2264	smss.exe
Token: SeDebugPrivilege	2568	smss.exe
Token: SeDebugPrivilege	2240	smss.exe
Token: SeDebugPrivilege	1628	smss.exe
Token: SeDebugPrivilege	2744	smss.exe
Token: SeDebugPrivilege	1444	smss.exe
Token: SeDebugPrivilege	2472	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2264	2072	DCobxod.exe	30
PID 2072 wrote to memory of 2264	2072	DCobxod.exe	30
PID 2072 wrote to memory of 2264	2072	DCobxod.exe	30
PID 2072 wrote to memory of 2264	2072	DCobxod.exe	30
PID 2264 wrote to memory of 2200	2264	WScript.exe	31
PID 2264 wrote to memory of 2200	2264	WScript.exe	31
PID 2264 wrote to memory of 2200	2264	WScript.exe	31
PID 2264 wrote to memory of 2200	2264	WScript.exe	31
PID 2200 wrote to memory of 1480	2200	cmd.exe	33
PID 2200 wrote to memory of 1480	2200	cmd.exe	33
PID 2200 wrote to memory of 1480	2200	cmd.exe	33
PID 2200 wrote to memory of 1480	2200	cmd.exe	33
PID 1480 wrote to memory of 2016	1480	intoHostperf.exe	39
PID 1480 wrote to memory of 2016	1480	intoHostperf.exe	39
PID 1480 wrote to memory of 2016	1480	intoHostperf.exe	39
PID 2016 wrote to memory of 980	2016	csc.exe	41
PID 2016 wrote to memory of 980	2016	csc.exe	41
PID 2016 wrote to memory of 980	2016	csc.exe	41
PID 1480 wrote to memory of 2312	1480	intoHostperf.exe	57
PID 1480 wrote to memory of 2312	1480	intoHostperf.exe	57
PID 1480 wrote to memory of 2312	1480	intoHostperf.exe	57
PID 1480 wrote to memory of 2576	1480	intoHostperf.exe	58
PID 1480 wrote to memory of 2576	1480	intoHostperf.exe	58
PID 1480 wrote to memory of 2576	1480	intoHostperf.exe	58
PID 1480 wrote to memory of 988	1480	intoHostperf.exe	59
PID 1480 wrote to memory of 988	1480	intoHostperf.exe	59
PID 1480 wrote to memory of 988	1480	intoHostperf.exe	59
PID 1480 wrote to memory of 900	1480	intoHostperf.exe	60
PID 1480 wrote to memory of 900	1480	intoHostperf.exe	60
PID 1480 wrote to memory of 900	1480	intoHostperf.exe	60
PID 1480 wrote to memory of 1148	1480	intoHostperf.exe	61
PID 1480 wrote to memory of 1148	1480	intoHostperf.exe	61
PID 1480 wrote to memory of 1148	1480	intoHostperf.exe	61
PID 1480 wrote to memory of 2604	1480	intoHostperf.exe	62
PID 1480 wrote to memory of 2604	1480	intoHostperf.exe	62
PID 1480 wrote to memory of 2604	1480	intoHostperf.exe	62
PID 1480 wrote to memory of 1444	1480	intoHostperf.exe	66
PID 1480 wrote to memory of 1444	1480	intoHostperf.exe	66
PID 1480 wrote to memory of 1444	1480	intoHostperf.exe	66
PID 1444 wrote to memory of 1588	1444	cmd.exe	71
PID 1444 wrote to memory of 1588	1444	cmd.exe	71
PID 1444 wrote to memory of 1588	1444	cmd.exe	71
PID 1444 wrote to memory of 2992	1444	cmd.exe	72
PID 1444 wrote to memory of 2992	1444	cmd.exe	72
PID 1444 wrote to memory of 2992	1444	cmd.exe	72
PID 1444 wrote to memory of 2952	1444	cmd.exe	73
PID 1444 wrote to memory of 2952	1444	cmd.exe	73
PID 1444 wrote to memory of 2952	1444	cmd.exe	73
PID 2952 wrote to memory of 2812	2952	smss.exe	74
PID 2952 wrote to memory of 2812	2952	smss.exe	74
PID 2952 wrote to memory of 2812	2952	smss.exe	74
PID 2812 wrote to memory of 652	2812	cmd.exe	76
PID 2812 wrote to memory of 652	2812	cmd.exe	76
PID 2812 wrote to memory of 652	2812	cmd.exe	76
PID 2812 wrote to memory of 2024	2812	cmd.exe	77
PID 2812 wrote to memory of 2024	2812	cmd.exe	77
PID 2812 wrote to memory of 2024	2812	cmd.exe	77
PID 2812 wrote to memory of 2948	2812	cmd.exe	78
PID 2812 wrote to memory of 2948	2812	cmd.exe	78
PID 2812 wrote to memory of 2948	2812	cmd.exe	78
PID 2948 wrote to memory of 3032	2948	smss.exe	79
PID 2948 wrote to memory of 3032	2948	smss.exe	79
PID 2948 wrote to memory of 3032	2948	smss.exe	79
PID 3032 wrote to memory of 948	3032	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCobxod.exe
"C:\Users\Admin\AppData\Local\Temp\DCobxod.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Browserhost\I0GR.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Browserhost\intoHostperf.exe
      "C:\Browserhost/intoHostperf.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\czpasesr\czpasesr.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5BD.tmp" "c:\Windows\System32\CSC4A04F327CA9F4A7CAEC62C5CE0CEA191.TMP"
        6⤵
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D4TQOTOqjw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1588
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
      - C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VdpP4GbADJ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ylDQV2JGYe.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1068
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6gfTO1Diev.bat"
        11⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1576
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n8fHs36pOy.bat"
        13⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat"
        15⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ogJsYefPP1.bat"
        17⤵
        
        PID:948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g6UJbp2Exv.bat"
        19⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1692
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dpubRuS73Q.bat"
        21⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1488
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat"
        23⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1884
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat"
        25⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "intoHostperfi" /sc MINUTE /mo 7 /tr "'C:\Browserhost\intoHostperf.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "intoHostperf" /sc ONLOGON /tr "'C:\Browserhost\intoHostperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "intoHostperfi" /sc MINUTE /mo 13 /tr "'C:\Browserhost\intoHostperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe

Filesize
193B

MD5
469f076b98518fc3f174277ae4e7c6c2

SHA1
f47b8ee20d1901242563bca5949b2fc9b8dcce32

SHA256
27f62059a2e4543d324d2dc4b57fa3afccb086411ee077c136c9732800987dd9

SHA512
6bf0a52c4bb33945c00c637fb50298975f060f4209f6c5655352a656b239cf47d78f4e1088eb7d0df5cde52915e704cec485babfa33284b501394a06ac40c214

Download Submit
C:\Browserhost\I0GR.bat

Filesize
85B

MD5
fb60a3f4d062529781b1856a97f6d2a8

SHA1
1da3695e467be7e3a89ce9c7de7db683e6e438fe

SHA256
81fcf50eda7d7a8a0170239aee3d3741e2ab76d1aa7af8800c2e47cf182dcdf0

SHA512
1f99a3b004752db78fb8e9e4d097f866bad641cd196ccb6d639c40c4c3dda87b5e1a7a7836c8a276b965ac50f1b8b43731bf12d592cd5993938769d1196593e4

Download Submit
C:\Browserhost\intoHostperf.exe

Filesize
34.9MB

MD5
cadd0c3b32099635f889ba630c4697f4

SHA1
305f57ac6c6a0afbdc7666a6964bc2acbb2ed738

SHA256
cd91ce0978cf8df9a22d3275fd693ebc759263485550df913d837694fc3afcb4

SHA512
4712774b492b09866ed752404d248b87b595282b7b3b617c73ae1a029d5628c186e980768515eebdb950e1c89c11cb8ba47a382192400701d3dc961a98ea4714

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat

Filesize
158B

MD5
575f822d3e5c3ada69fffb693d0dcded

SHA1
15f76b8900ee77712932e375c37e354e0d0a4a2d

SHA256
2f995b8b9485698edab758696340543101228a6e0545e4e60b51b62f2635e5ba

SHA512
fea059bd681997ecf22a46af50b56810358f2748e65abcc40757c3bc8362accb95c63733faacaa57aeb9e1baeb737dae11a648cf2012e502279a22136e5965b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat

Filesize
206B

MD5
48e6513e58dfadf92228c1719f45d689

SHA1
316019a275fbf30ea995a987304511cdcb34d1af

SHA256
0c229472405bcd048a61ad17b2d260c56be91b381188910524b2c88df0aac172

SHA512
e5404b88530254040e836befebec1c48e11474da364fe73d7b14fad81e941310dd791053e6f7e8a4f35d0d6d76c799c1a9feb0dfa1b1001ff25a68a0ed0d254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6gfTO1Diev.bat

Filesize
206B

MD5
1f69098cee68cec7f54eb5c47359e702

SHA1
72ae8228c46b12b654423e45a3536a17b767ce04

SHA256
f046a17cc22210843ded591a7fc5bb8832c4e1dd7db56db782e3974cd5b4f885

SHA512
bbbb31c49a5219d3d86863e7b5755e6970e8b5cf14342a613410d23b649d33a5936ce3c63a4229d8faf9c26d2e76b4aa970a650b416e92700416487374e5d79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4TQOTOqjw.bat

Filesize
158B

MD5
d6ff699c4cadc3045d904c749ebed928

SHA1
d98dba017c71018f771f3275bddb210d160de716

SHA256
f9df32044ab71505d7c4570e4fe9630c71b510e6ffcf97e85c6edf9fd0609d40

SHA512
8917abd874401a1171433195804b6d789f47c910de924f9499b9aa1885791eca11cd010e5a5e75579744bd7de35cb01de4e9fb7cfe3ec8b044f4ab25de6fd842

Download Submit
C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat

Filesize
158B

MD5
3a53034d36acd0b9a8dfdb4a31c6cf5a

SHA1
b3f1a5371585dd3cebdaf64cc85999802436ee1e

SHA256
46fc3c45cbf3618fff86b4b8aed51a538eb213a7ed472fd97e5fa1a2bd66f349

SHA512
05c68d69d0b723e32fa8113c4f046e592701001d7e9d273acbae9854e575670754d34578c0f45d65c19400f6b652b1d9ed3e46021ac69c54aa467f33ded5da4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5BD.tmp

Filesize
1KB

MD5
176c3528a6baebc5ab45b82d2784c1b7

SHA1
26c5454244388800e483dae8862d816542823457

SHA256
f5eae137fdb78de95caa52ca543e9895c4422db658c3b5fe0366d782b3766561

SHA512
ffbb5c151620bd14148e164da1cb7c078d24ea566362581d3a02300ecd52fbc34663198490c6297c6b3f94a7b0cb69f4474806dfd67bf5a6b2321096667c1654

Download Submit
C:\Users\Admin\AppData\Local\Temp\VdpP4GbADJ.bat

Filesize
158B

MD5
7b3d5f75022acba656f74c3423715ef0

SHA1
c5d1710757aa863a46412741129d47b1822809e7

SHA256
cbe08ddc1eb86e11469ed79c2c9fb0ba75d08eedef10f0b0b4b270137b7b1139

SHA512
e5fe29b2a25d90506940fc685aff2d4e1a226cf9b92a71aa256b54ada71a5b8b83664b630be65c82c9d1a18e7ac6f0628227b50ae4ec88d69a1aeae446959a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpubRuS73Q.bat

Filesize
206B

MD5
8080bc52d02413690d6eb966f6be6ff0

SHA1
e20f1501feffa264bd21d8686131f626de8a62a5

SHA256
f0d83c8d14b5d5cc11f23c827b4ca08ca12b809745dc4871520f4d5e6bb54f73

SHA512
f4a29a4df282b591705038d5b1636a46018c7ea81118093e9bfb7c9b401051b8b46b2d840b6982ef436303ad9ce8165d979d26f40aae08d08c3f13cd6b41fd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\g6UJbp2Exv.bat

Filesize
206B

MD5
5e0f398d1796688ff2214028b37d085c

SHA1
0c1dc86e90460202d5241247516bf34b471babb1

SHA256
727fa01ebd17601e3a171aabfa776e718802547023f0743cf5041b44aaf4a414

SHA512
ad26166d7cc52351cafdbd8e3db434c2b1c623845ca045e70daabb52cdf65b1fd80c9a184d9496232ebe8cf5da0cd0d2a5bed2004ac86ff593570a156896f398

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8fHs36pOy.bat

Filesize
158B

MD5
71aaa34bdeccffbdc53f7efa923cee9b

SHA1
0d3b1a07079c170e3270ab5fd11ca220f979ba15

SHA256
8f4a2a6d5f364f61ee7506fdcdba514bc26819bf4ba0d068619d164be23f230c

SHA512
8c80bff4d4254e8102c278f66ad00708283dbe46eddc968884ac0f0d628f697d7717dff4975a6b4ba054f80c022cda4c489287416169795e0208b5dc980d57b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogJsYefPP1.bat

Filesize
158B

MD5
1fe7e0a234e2d01b2cface475ee060d3

SHA1
8e4610a131cec6a11e1373bb878f31647dfb888c

SHA256
fa2ff9d1d57ffe670a16a7572612e8dd7b8e00c27bf81bc95dac4031aee88ad2

SHA512
b1a68ce4db67c1666c00ea8c0276b56cdf247c5f1ebcd7cc95b88f3b9eb5514eb5479d42f394b79ee19429e0363735dbe676dec44216ad58c3700421713652b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylDQV2JGYe.bat

Filesize
158B

MD5
6fd63db99e12baab85f414bb8a33b64a

SHA1
c593bd8f606ebf1b1ad07bb7f9477892a81cebe6

SHA256
04bb416a12efe6290556f190ac50f7d9e5ab7db1190bd1ee3ec2689dc6ba871f

SHA512
541b9fe195ebcb7916199d553ea3d75af2d9be35e65bee66a02fba07882680eb3a42d4b6cc86742a807c95517e51c31de1e58333457947a91d3e2bac2782ec92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2bfa2064619700e466cb513a631e1050

SHA1
311a9f762257e1a81228e23a2d758d2117d35469

SHA256
89a53a2c71cfd9cf8f76fffcf1b3ee9b182d1acbbe4eaf5657b7836e2f8ea57b

SHA512
267c5c0a01d63216f62b33b25087896a985bb2eec049d6383830726e315ff6251cd8aa12d5b492929fcd5b0989f3695ffc38760b8b49afab6d52ef69a34c6d5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\czpasesr\czpasesr.0.cs

Filesize
362B

MD5
749bab67cc838542d4025b4d4b0933cd

SHA1
db0736a7617f47f27dee0cdf87acba8ec390463a

SHA256
3ef6a594177544ebb4fe0f9cf696777bb36de17ecb1c6416e674468df69b330e

SHA512
fcc404b0d88d3fc8493681ea5456e339005fca6feabbd52b4d3cc966681543c6a656fa417ddd7fc757d15542ddf445dced314a8efa21794147de0dcef14737da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\czpasesr\czpasesr.cmdline

Filesize
235B

MD5
477b48852f050c5c39d3e5025771435f

SHA1
512d33377b2a9a131d270bc722773ce4a1dfaed0

SHA256
a451fb709cb66dc12eacf1b7f26763f25ae47f006338449d465cc92efc4efbef

SHA512
43291e2ccfb74e327dbc64d2b08d63585f3e7ccaef84db17f0e4f66f4f1faf89245c38fc58109a2bd133391a9b78d3c538c8d1e20c7e95be547236daba3b7a05

Download Submit
\??\c:\Windows\System32\CSC4A04F327CA9F4A7CAEC62C5CE0CEA191.TMP

Filesize
1KB

MD5
02b6f6024c0f35b2dfb735e30d40ea59

SHA1
9e28d1d16523aab5845e09fdecf27759375f9b5a

SHA256
17491f9c7a135563b4c9dd20e2113e934070166146005e0f97ab301f4a5ef4aa

SHA512
a8a734f3d0f4d6a8904a8faa5638db91e9034c55306f153fdf321731cdfaaa58847d731ee64b226df0bd6cd4b8e6ed6d2ed1af77f510e079755f7159af433672

Download Submit
memory/1480-31-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1480-35-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/1480-51-0x00000000024C0000-0x00000000024CE000-memory.dmp

Filesize
56KB

Download
memory/1480-53-0x0000000002580000-0x0000000002598000-memory.dmp

Filesize
96KB

Download
memory/1480-55-0x00000000024D0000-0x00000000024DC000-memory.dmp

Filesize
48KB

Download
memory/1480-57-0x000000001AF80000-0x000000001AFCE000-memory.dmp

Filesize
312KB

Download
memory/1480-47-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/1480-45-0x000000001AB00000-0x000000001AB5A000-memory.dmp

Filesize
360KB

Download
memory/1480-43-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/1480-41-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/1480-13-0x0000000000C20000-0x0000000000FAE000-memory.dmp

Filesize
3.6MB

Download
memory/1480-39-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/1480-15-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1480-37-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/1480-17-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/1480-49-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/1480-19-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/1480-33-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1480-29-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/1480-27-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/1480-21-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1480-25-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1480-23-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/2240-263-0x0000000000E00000-0x000000000118E000-memory.dmp

Filesize
3.6MB

Download
memory/2472-377-0x0000000001100000-0x000000000148E000-memory.dmp

Filesize
3.6MB

Download
memory/2568-233-0x0000000000250000-0x00000000005DE000-memory.dmp

Filesize
3.6MB

Download
memory/2604-94-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2604-99-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2948-148-0x0000000001340000-0x00000000016CE000-memory.dmp

Filesize
3.6MB

Download
memory/2952-119-0x0000000000320000-0x00000000006AE000-memory.dmp

Filesize
3.6MB

Download