dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3440	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	3440	schtasks.exe	84

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 18 IoCs

pid	Process
4476	upfc.exe
3976	upfc.exe
1956	upfc.exe
1160	upfc.exe
4112	upfc.exe
4468	upfc.exe
2516	upfc.exe
3312	upfc.exe
3724	upfc.exe
4476	upfc.exe
2120	upfc.exe
2508	upfc.exe
1676	upfc.exe
3540	upfc.exe
2636	upfc.exe
4236	upfc.exe
1032	upfc.exe
864	upfc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files\7-Zip\upfc.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files\7-Zip\ea1d8f6d871115	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4152	PING.EXE
3992	PING.EXE
2768	PING.EXE
2332	PING.EXE
2112	PING.EXE
3660	PING.EXE
3140	PING.EXE
2040	PING.EXE

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2112	PING.EXE
3660	PING.EXE
3140	PING.EXE
2040	PING.EXE
4152	PING.EXE
3992	PING.EXE
2768	PING.EXE
2332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2920	schtasks.exe
4520	schtasks.exe
4844	schtasks.exe
4968	schtasks.exe
3652	schtasks.exe
1676	schtasks.exe
4040	schtasks.exe
864	schtasks.exe
4808	schtasks.exe
2800	schtasks.exe
4660	schtasks.exe
344	schtasks.exe
2288	schtasks.exe
912	schtasks.exe
212	schtasks.exe
4000	schtasks.exe
3344	schtasks.exe
5008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	4476	upfc.exe
Token: SeDebugPrivilege	3976	upfc.exe
Token: SeDebugPrivilege	1956	upfc.exe
Token: SeDebugPrivilege	1160	upfc.exe
Token: SeDebugPrivilege	4112	upfc.exe
Token: SeDebugPrivilege	4468	upfc.exe
Token: SeDebugPrivilege	2516	upfc.exe
Token: SeDebugPrivilege	3312	upfc.exe
Token: SeDebugPrivilege	3724	upfc.exe
Token: SeDebugPrivilege	4476	upfc.exe
Token: SeDebugPrivilege	2120	upfc.exe
Token: SeDebugPrivilege	2508	upfc.exe
Token: SeDebugPrivilege	1676	upfc.exe
Token: SeDebugPrivilege	3540	upfc.exe
Token: SeDebugPrivilege	2636	upfc.exe
Token: SeDebugPrivilege	4236	upfc.exe
Token: SeDebugPrivilege	1032	upfc.exe
Token: SeDebugPrivilege	864	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 5080	1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	103
PID 1388 wrote to memory of 5080	1388	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	103
PID 5080 wrote to memory of 3636	5080	cmd.exe	105
PID 5080 wrote to memory of 3636	5080	cmd.exe	105
PID 5080 wrote to memory of 100	5080	cmd.exe	106
PID 5080 wrote to memory of 100	5080	cmd.exe	106
PID 5080 wrote to memory of 4476	5080	cmd.exe	113
PID 5080 wrote to memory of 4476	5080	cmd.exe	113
PID 4476 wrote to memory of 2320	4476	upfc.exe	115
PID 4476 wrote to memory of 2320	4476	upfc.exe	115
PID 2320 wrote to memory of 2084	2320	cmd.exe	117
PID 2320 wrote to memory of 2084	2320	cmd.exe	117
PID 2320 wrote to memory of 2040	2320	cmd.exe	118
PID 2320 wrote to memory of 2040	2320	cmd.exe	118
PID 2320 wrote to memory of 3976	2320	cmd.exe	126
PID 2320 wrote to memory of 3976	2320	cmd.exe	126
PID 3976 wrote to memory of 416	3976	upfc.exe	128
PID 3976 wrote to memory of 416	3976	upfc.exe	128
PID 416 wrote to memory of 3552	416	cmd.exe	130
PID 416 wrote to memory of 3552	416	cmd.exe	130
PID 416 wrote to memory of 4152	416	cmd.exe	131
PID 416 wrote to memory of 4152	416	cmd.exe	131
PID 416 wrote to memory of 1956	416	cmd.exe	135
PID 416 wrote to memory of 1956	416	cmd.exe	135
PID 1956 wrote to memory of 2908	1956	upfc.exe	137
PID 1956 wrote to memory of 2908	1956	upfc.exe	137
PID 2908 wrote to memory of 3624	2908	cmd.exe	139
PID 2908 wrote to memory of 3624	2908	cmd.exe	139
PID 2908 wrote to memory of 456	2908	cmd.exe	140
PID 2908 wrote to memory of 456	2908	cmd.exe	140
PID 2908 wrote to memory of 1160	2908	cmd.exe	143
PID 2908 wrote to memory of 1160	2908	cmd.exe	143
PID 1160 wrote to memory of 3408	1160	upfc.exe	145
PID 1160 wrote to memory of 3408	1160	upfc.exe	145
PID 3408 wrote to memory of 1652	3408	cmd.exe	147
PID 3408 wrote to memory of 1652	3408	cmd.exe	147
PID 3408 wrote to memory of 2276	3408	cmd.exe	148
PID 3408 wrote to memory of 2276	3408	cmd.exe	148
PID 3408 wrote to memory of 4112	3408	cmd.exe	149
PID 3408 wrote to memory of 4112	3408	cmd.exe	149
PID 4112 wrote to memory of 4380	4112	upfc.exe	151
PID 4112 wrote to memory of 4380	4112	upfc.exe	151
PID 4380 wrote to memory of 4976	4380	cmd.exe	153
PID 4380 wrote to memory of 4976	4380	cmd.exe	153
PID 4380 wrote to memory of 3992	4380	cmd.exe	154
PID 4380 wrote to memory of 3992	4380	cmd.exe	154
PID 4380 wrote to memory of 4468	4380	cmd.exe	156
PID 4380 wrote to memory of 4468	4380	cmd.exe	156
PID 4468 wrote to memory of 1764	4468	upfc.exe	158
PID 4468 wrote to memory of 1764	4468	upfc.exe	158
PID 1764 wrote to memory of 1056	1764	cmd.exe	160
PID 1764 wrote to memory of 1056	1764	cmd.exe	160
PID 1764 wrote to memory of 2768	1764	cmd.exe	161
PID 1764 wrote to memory of 2768	1764	cmd.exe	161
PID 1764 wrote to memory of 2516	1764	cmd.exe	164
PID 1764 wrote to memory of 2516	1764	cmd.exe	164
PID 2516 wrote to memory of 2480	2516	upfc.exe	166
PID 2516 wrote to memory of 2480	2516	upfc.exe	166
PID 2480 wrote to memory of 1012	2480	cmd.exe	168
PID 2480 wrote to memory of 1012	2480	cmd.exe	168
PID 2480 wrote to memory of 2332	2480	cmd.exe	169
PID 2480 wrote to memory of 2332	2480	cmd.exe	169
PID 2480 wrote to memory of 3312	2480	cmd.exe	171
PID 2480 wrote to memory of 3312	2480	cmd.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
"C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRsVZXvz4W.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3636
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:100
- - C:\Program Files\7-Zip\upfc.exe
    "C:\Program Files\7-Zip\upfc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2084
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
    - - C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4152
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5MTiTtyPLR.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:456
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2276
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3LXAY36iRv.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3992
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HO9VPMedbR.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CmSUPSwWTx.bat"
        18⤵
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2380
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zd3m5m79sA.bat"
        20⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5MTiTtyPLR.bat"
        22⤵
        
        PID:4596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3968
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kMcIkiaMXi.bat"
        24⤵
        
        PID:3912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1280
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ssuaX7045.bat"
        26⤵
        
        PID:3448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:628
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ssuaX7045.bat"
        28⤵
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:888
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ssuaX7045.bat"
        30⤵
        
        PID:456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1640
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat"
        32⤵
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3660
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat"
        34⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:1712
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        36⤵
        
        PID:1748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3140
        
        C:\Program Files\7-Zip\upfc.exe
        
        "C:\Program Files\7-Zip\upfc.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat"
        38⤵
        
        PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a6" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a6" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ssuaX7045.bat

Filesize
207B

MD5
5c749f0c2ef60b037e5f4a8e85ae9f32

SHA1
6d0576b4119a6c7255259d6f9505357cc02a99cb

SHA256
a122bf8e224ee9ed98c0637ce325f96182d8188ca70e05dd57394d25b54457ca

SHA512
21e358b339d58ec1a88f7ecd9149997dce6ef8805f8127bbf1065adc40e64ee5567f2c513273fe147f605effa372ebe6640c896be20c6cbf10a8506e41b65aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LXAY36iRv.bat

Filesize
159B

MD5
6619f64d0fc201bca2f2106b5e3a9ed8

SHA1
aa4ae1b0fee11a8b01d9eb650b0c1cf271cacfb2

SHA256
fae747cd33f529550e43a2619a9765e42ee7b12296ead57c69813a5f00688987

SHA512
6422be7e56cb24599e7374fc15c0d987a0ad7ab4164fb435cd3d8b972b6e962a997ca66806bf8ab19010f8ea9da4b872d3888666f3ff89b5016197ed8a2f8c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MTiTtyPLR.bat

Filesize
207B

MD5
bc3d2729dd52f5c473c2a5a4a9ec79cb

SHA1
ef02d10e8e843766cf605fd9d0ad9ed5c64c6229

SHA256
ba3791b4d21491c9caa5a54d9966e0ce0a65dbd1338a5d7236b908d51f91d37a

SHA512
6f3a2952826f3315843e92ed70337454a02b970a2ef8df118a84a963137300d8b04be43aa3efe38475471368b4bb6026c82d37c2f41d89314fc207e84f1b24a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat

Filesize
159B

MD5
d9d0aa5f22cacc1d7ee1f7d45ccd0f9e

SHA1
dfa8dba916a73834b2221cfe22f28d0d58a63351

SHA256
4f5a45f0679ebb6ceed2cecf99edc9a2ed83fd6ec6f62a21c2a7f3bcf4ed766e

SHA512
0a30646a364839b9823ebda5aba281384b40eb7fee0d6cd1fb7a7a851360cb965258bb878914a0a5f47c613a9ca99c33cbad091aa0452bd58508b350d7310c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmSUPSwWTx.bat

Filesize
207B

MD5
5e1db5b9f6d635a72914f4572a1c572a

SHA1
491773357e96e6dce4965344338880cec3c18350

SHA256
4a27aa840f7a99823aa9ac6cc7f0daea810609732ee62f106d8a29a89a723e55

SHA512
d47f58d087a6999e96fa2f860448d1a68a62ef0db0d28578cca27eb2f8df675d706800f574e43c1f3dbbb30ec3b2eca058f38e509d48df9321aadbb1abb3862c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HO9VPMedbR.bat

Filesize
159B

MD5
04d75d004769870488452176fc79f12e

SHA1
d1cdce47cf7ff59926e89774b00c2dc74e4638e5

SHA256
be72cea1fe05185ddd22b0774261487044993f64299687d0625cd599db4fbf8c

SHA512
7adf33348f4a1c23aabdf6a70483371980e636cf6fb8a9a7886b3d48c57f361d336cf3745a341ece584d45907c110a039fb89af47f3e8373ee565c532e146a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRsVZXvz4W.bat

Filesize
207B

MD5
efbbcd690998a915a25a9c8c5d3edc04

SHA1
d0e2ebfe8a5af8d8db04b4b8e3f71917606e7723

SHA256
258f43e9264dc41dbbf9ddd7fb58c2243108cdcb849dbab1954958dbf471f728

SHA512
a24cdf297f6341f330b105c3cd3c2d004a57572e8c9ce27310b6370063381d12863bf45677a90e3293a3dde0eac9116e73e13a0c51cf75d01d21fcbd2ae6571a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat

Filesize
207B

MD5
48099d57f43a662136b059b3612e52f5

SHA1
07dfcc4f0398f4ad31baa479ef85e1d601681303

SHA256
d2f56ea1acee549cc16bbe5f12cbd2f19ea0398c825f7938527adeb734a498ed

SHA512
dc0d703700359b03a109c6d1efa6d9ddfe8d321db4762a6720c94140ab424c1294a0a2b1ad98e716bb9ab8b05c7f5095e35caf49a44238eef876ade09d454d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat

Filesize
159B

MD5
61bc535ac664178e30c58ccb9edabba1

SHA1
bbcce7b5f177fedd91b9727fc44b9b8be87b1c17

SHA256
0d4a2e00fcbbc721450c919d19e5b0e458481c01ac5be6bc43f95e7371013fe6

SHA512
ca9195bec8b80c88893079c5ee93569920d7bbd7908a9ee56b6cdd3087096a879f26cd0d81c4d83444afda6a3bb9f7dcaa62a556749c736cb64ef9c4eae72076

Download Submit
C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat

Filesize
159B

MD5
3b64c12cf599e9417378d766c202abfe

SHA1
4e399db116ace0adfd53abe8dde1f41459360589

SHA256
eb53f4735888cf7618856510a7a733ca46d541d6df4e5ee1033bf3f8156d09c8

SHA512
85a631f560e745a1a07f59e4ebd52e283d6c1a87d25a3e7726eb5cfbc6f7cdfe6bac0ea2c4c391df7b5cc1e9da9450bbe9a7dcda0583e149df4b7722a7053411

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMcIkiaMXi.bat

Filesize
207B

MD5
bd98ca40353f0f015172a72bbe3a8e1a

SHA1
2d8a614cf09625e8dcaa0550908ac66fbe7b365c

SHA256
f07df7746f85a8a68e7c4b33abfe3a3378c40bb7a5a8da5c24a9d5272fcb6400

SHA512
5952a6d9440663e3995e077c1ad48e832e1d6a94283ec8fe4bf6573250b7fca9892f9ae3f05e8e2a0f559297f68d131ef9cedd9a7f7e474015bd6307ae2de350

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat

Filesize
207B

MD5
288bec4560fff44bbf209482c41a75d1

SHA1
a6417d85a9d0bec63a1b7e915c519a06df02a4fd

SHA256
90c0bb5a495eb105ad77d0974f220dbc4e56b436ebff0b6793fc3493c0743546

SHA512
94e26c6e3a74233381ef2a149a3d49dbf7e346f8b09bcb489cbc1ba09a06b1b7746229e49c98e246c228e1404789d2500cd87805fc86a227a11241c80d67ed6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
159B

MD5
b94e5270fc059aec07d40745fed65ec3

SHA1
1a493dd8be274e73fdadb98ed6d95602bb7e00ba

SHA256
066566502127bd0fdfdfe60ddccce7fbe833be52af00d6edae4c20ebda7837bf

SHA512
cd8c88606a6a38510c4f44e881ac780cab27537d732c48654311bfbdef5f97783b7bd8103f5ce56fe3cbb37b349d7e6890e3f18884659a6a97688ab300ac3328

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat

Filesize
159B

MD5
53b2f21cb406fb5dcba6381244832e14

SHA1
3473b8803fb81fc1e448521355cf92d972ab834e

SHA256
7886e6ef92ab292a09e88cc269d7c59ff3b55794078dbd414919f27eeedf056a

SHA512
09ceb6856eba7f1d49863b1ea00c756114f032fe391f88980f86a9c4381abcbf50cfc90096577a8ef32b1966a992ff7e3cb933495d4f8a64924174e4cba99f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zd3m5m79sA.bat

Filesize
159B

MD5
a3be4b9baf25257edc2219d0cd26b719

SHA1
7df3ab2e7890d2f3a013db76d579927e371c12b2

SHA256
1bb95f9d57c779ee7442aeb4f125808210066600071ed6b9260c69de2f0f55ae

SHA512
8a792f18f6fc0f4028778246f5c397dffc634b59a402bf4d58680885a6b37ecc7db5eff64a9a37775699d5b2f497cc24cec06da69cc0b2417617e2fe402f7e5b

Download Submit
memory/1388-0-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

Filesize
8KB

Download
memory/1388-7-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-24-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-13-0x000000001B410000-0x000000001B428000-memory.dmp

Filesize
96KB

Download
memory/1388-11-0x000000001B7E0000-0x000000001B830000-memory.dmp

Filesize
320KB

Download
memory/1388-10-0x000000001B3F0000-0x000000001B40C000-memory.dmp

Filesize
112KB

Download
memory/1388-26-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-33-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-8-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-27-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-6-0x0000000002880000-0x000000000288E000-memory.dmp

Filesize
56KB

Download
memory/1388-4-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-3-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-2-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1388-1-0x00000000005E0000-0x00000000007B2000-memory.dmp

Filesize
1.8MB

Download