dcrat | 7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18

Analysis

max time kernel
122s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Size

2.1MB
MD5

4c2ac1b00484674f9b5792d4c582d73b
SHA1

f25bbeae4c50ac942e3c01a2db1f615700716688
SHA256

7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18
SHA512

04b5d49a32a73bc0dba4fe1bb2a611adaebf6311cf1b7d835c3681e436082590674ebb5d24c94a17abd43a9d76d5485da3a0f9182c5938a19087f1e4c6717246
SSDEEP

49152:G2UiJArUq4MfX+6o5bXzATJYNHTQwcrw6FT9LKd5EdoT6:G2dJAQMGh5DzATJaSw6FTE02m

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\sppsvc.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\sppsvc.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\sppsvc.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\sppsvc.exe\", \"C:\\Users\\Default User\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2628	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe
1288	powershell.exe
828	powershell.exe
1796	powershell.exe
1516	powershell.exe
1496	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Libraries\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\sppsvc.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\sppsvc.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\win32\\bridge\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dllhost.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Libraries\\csrss.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe\""	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io
13	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDC3EE5959F04451DA2DBD6AA1AA1ED9D.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\csrss.exe	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\886983d96e3d3e	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\dllhost.exe	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\5940a34987c991	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1948	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe
1256	schtasks.exe
1524	schtasks.exe
776	schtasks.exe
2956	schtasks.exe
2912	schtasks.exe
2652	schtasks.exe
2992	schtasks.exe
2988	schtasks.exe
2404	schtasks.exe
1968	schtasks.exe
2456	schtasks.exe
2436	schtasks.exe
2796	schtasks.exe
2624	schtasks.exe
1208	schtasks.exe
492	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2864	csrss.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2604	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	34
PID 2692 wrote to memory of 2604	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	34
PID 2692 wrote to memory of 2604	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	34
PID 2604 wrote to memory of 572	2604	csc.exe	36
PID 2604 wrote to memory of 572	2604	csc.exe	36
PID 2604 wrote to memory of 572	2604	csc.exe	36
PID 2692 wrote to memory of 828	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	52
PID 2692 wrote to memory of 828	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	52
PID 2692 wrote to memory of 828	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	52
PID 2692 wrote to memory of 1288	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	53
PID 2692 wrote to memory of 1288	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	53
PID 2692 wrote to memory of 1288	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	53
PID 2692 wrote to memory of 1976	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	54
PID 2692 wrote to memory of 1976	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	54
PID 2692 wrote to memory of 1976	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	54
PID 2692 wrote to memory of 1496	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	55
PID 2692 wrote to memory of 1496	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	55
PID 2692 wrote to memory of 1496	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	55
PID 2692 wrote to memory of 1516	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	56
PID 2692 wrote to memory of 1516	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	56
PID 2692 wrote to memory of 1516	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	56
PID 2692 wrote to memory of 1796	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	57
PID 2692 wrote to memory of 1796	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	57
PID 2692 wrote to memory of 1796	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	57
PID 2692 wrote to memory of 1452	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	64
PID 2692 wrote to memory of 1452	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	64
PID 2692 wrote to memory of 1452	2692	7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe	64
PID 1452 wrote to memory of 832	1452	cmd.exe	66
PID 1452 wrote to memory of 832	1452	cmd.exe	66
PID 1452 wrote to memory of 832	1452	cmd.exe	66
PID 1452 wrote to memory of 1948	1452	cmd.exe	67
PID 1452 wrote to memory of 1948	1452	cmd.exe	67
PID 1452 wrote to memory of 1948	1452	cmd.exe	67
PID 1452 wrote to memory of 2864	1452	cmd.exe	68
PID 1452 wrote to memory of 2864	1452	cmd.exe	68
PID 1452 wrote to memory of 2864	1452	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe
"C:\Users\Admin\AppData\Local\Temp\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ds4rcrsh\ds4rcrsh.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF95C.tmp" "c:\Windows\System32\CSCDC3EE5959F04451DA2DBD6AA1AA1ED9D.TMP"
    3⤵
    PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SmDTmdKwBH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:832
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1948
- - C:\Users\Default User\csrss.exe
    "C:\Users\Default User\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e187" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e187" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\csrss.exe

Filesize
2.1MB

MD5
4c2ac1b00484674f9b5792d4c582d73b

SHA1
f25bbeae4c50ac942e3c01a2db1f615700716688

SHA256
7e3a3ff9f8bf5cf600b4847cc650c5db7e7a83d4a5c62234cb691d470ec16e18

SHA512
04b5d49a32a73bc0dba4fe1bb2a611adaebf6311cf1b7d835c3681e436082590674ebb5d24c94a17abd43a9d76d5485da3a0f9182c5938a19087f1e4c6717246

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF95C.tmp

Filesize
1KB

MD5
81d2bb00cf65600cec0a8b72e5e97c78

SHA1
6930a825bf0fd0ee34d383b43018db79499ec292

SHA256
7100fd39f18475c90d6837e31b48302e9576ce23364e81fc0494ec94651bd895

SHA512
2e547cff285f15a9f13a4d9226f688cdb9ea6ea21f33cb860afc6f5f5c521394a17b2597e28353c9654729311a7ade4cc264a5ba2afd0f550214dd8a6b48ac11

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmDTmdKwBH.bat

Filesize
159B

MD5
715aebe3aaa4d45bbf5ca12948890ccf

SHA1
43a3f758a5d43ebddd7a95b10dca990c894969ab

SHA256
15843768ada0c3603fcf83d70cb027e7fc84dfd6fef08246879c7495a5a5d1ec

SHA512
0c3b2feda04e53002f82504be29fd1db79827bf9b92a76354db8b5da7bb41163371e255db8894364b0c6b25ded76e91267ebb0e1fca53b66ee71e4c6a4f75a21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
655ac88e4107546645c0aed3ea947277

SHA1
5600cd6fa74cb0bf66e23bc9f8fb34ae9446e79f

SHA256
8677a01f9b68b08c4ce824b89b16f04fff8da99018e52c4b2f362f1068d39a84

SHA512
0c6415dbf15b8fc00302addc9315aba42a900d32205982f4ad3def75f653d253f6b346bdffe7d93856cf1ef3a285a95ac375e7cd5d650f1119f92718ac8103a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds4rcrsh\ds4rcrsh.0.cs

Filesize
396B

MD5
3b36adf7eacb1e0f6034fdbd207a7149

SHA1
3a39977dc4766a1e761d5d6e76819b8781d4db1f

SHA256
47c247113425dec1d1d60b5fa10a31e87aa6646584c78ca6a7afa34141298c0f

SHA512
8d41aeee5e5e32d31bc2491338613ac62fb6ba0f39319db81a5a7f2c1b60496556b3fa9b262a832e79de5856ca6f1b0481227d203272766d12ef6b3cbd683d03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds4rcrsh\ds4rcrsh.cmdline

Filesize
235B

MD5
7fad41a8190b761688ca93ce4e774283

SHA1
359ff8381a3013cf967cb833342c92e9d866edbb

SHA256
a743c1f950b23c950c5f305b7379e53d26e73936cf75ff033c7f7e68be79c02f

SHA512
51abeb89d478ecb399bda0a493c059a032024439f06fc5f92e8c1930016c409125a203c1463d3e6e43c4cf189b2183fe6948cf3f21e78fe5c7db29a49a480823

Download Submit
\??\c:\Windows\System32\CSCDC3EE5959F04451DA2DBD6AA1AA1ED9D.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/1496-83-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/1516-82-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2692-12-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/2692-14-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2692-16-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download
memory/2692-19-0x0000000002060000-0x000000000206C000-memory.dmp

Filesize
48KB

Download
memory/2692-21-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/2692-22-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-24-0x0000000002370000-0x000000000237E000-memory.dmp

Filesize
56KB

Download
memory/2692-26-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2692-28-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/2692-29-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-31-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-30-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-43-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-17-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-44-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-0-0x000007FEF5933000-0x000007FEF5934000-memory.dmp

Filesize
4KB

Download
memory/2692-10-0x0000000002030000-0x0000000002048000-memory.dmp

Filesize
96KB

Download
memory/2692-8-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/2692-6-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/2692-57-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-62-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-4-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-3-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-2-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-1-0x0000000000A10000-0x0000000000C2C000-memory.dmp

Filesize
2.1MB

Download
memory/2864-97-0x0000000000ED0000-0x00000000010EC000-memory.dmp

Filesize
2.1MB

Download