dcrat | b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

Analysis

max time kernel
142s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
Size

827KB
MD5

428bdccd4c240a253810e1c2a4ff8b78
SHA1

6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c
SHA256

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d
SHA512

81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63
SSDEEP

12288:GurCqcV04iJuX03lJmrw1DMVMkNcL4uhB6lg1npjzh/Ta6:bypiJOw1D8YhB6lkpjdO6

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2196	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2916-1-0x0000000000CA0000-0x0000000000D76000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\csrss.exe	dcrat
behavioral1/memory/1712-27-0x0000000000380000-0x0000000000456000-memory.dmp	dcrat
behavioral1/memory/1888-49-0x0000000000970000-0x0000000000A46000-memory.dmp	dcrat
behavioral1/memory/972-56-0x0000000000300000-0x00000000003D6000-memory.dmp	dcrat
behavioral1/memory/1976-63-0x00000000000A0000-0x0000000000176000-memory.dmp	dcrat
behavioral1/memory/2496-70-0x0000000000370000-0x0000000000446000-memory.dmp	dcrat
behavioral1/memory/3060-77-0x0000000000360000-0x0000000000436000-memory.dmp	dcrat
behavioral1/memory/2916-84-0x0000000000E70000-0x0000000000F46000-memory.dmp	dcrat
behavioral1/memory/1692-91-0x0000000000040000-0x0000000000116000-memory.dmp	dcrat
behavioral1/memory/2328-98-0x0000000000F90000-0x0000000001066000-memory.dmp	dcrat
behavioral1/memory/2132-105-0x0000000000010000-0x00000000000E6000-memory.dmp	dcrat
behavioral1/memory/1452-112-0x0000000000F30000-0x0000000001006000-memory.dmp	dcrat
behavioral1/memory/2116-119-0x0000000000180000-0x0000000000256000-memory.dmp	dcrat
behavioral1/memory/2160-126-0x0000000001230000-0x0000000001306000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
1712	taskhost.exe
1888	taskhost.exe
972	taskhost.exe
1976	taskhost.exe
2496	taskhost.exe
3060	taskhost.exe
2916	taskhost.exe
1692	taskhost.exe
2328	taskhost.exe
2132	taskhost.exe
1452	taskhost.exe
2116	taskhost.exe
2160	taskhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

Processes:

flow	ioc
19	pastebin.com
21	pastebin.com
23	pastebin.com
14	pastebin.com
17	pastebin.com
27	pastebin.com
33	pastebin.com
4	pastebin.com
15	pastebin.com
25	pastebin.com
29	pastebin.com
35	pastebin.com
5	pastebin.com
31	pastebin.com

Drops file in System32 directory 2 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

description	ioc	process
File created	C:\Windows\System32\da-DK\winlogon.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Windows\System32\da-DK\cc11b995f2a76d	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

Drops file in Program Files directory 4 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\csrss.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\886983d96e3d3e	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\Microsoft Office\Office14\taskhost.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\Microsoft Office\Office14\b75386f1303e64	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

Drops file in Windows directory 7 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

description	ioc	process
File created	C:\Windows\AppCompat\System.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Windows\AppCompat\27d1bcfc3c54e0	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Windows\tracing\sppsvc.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File opened for modification	C:\Windows\tracing\sppsvc.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

taskhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	taskhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2156	schtasks.exe
2808	schtasks.exe
2524	schtasks.exe
1080	schtasks.exe
2644	schtasks.exe
2184	schtasks.exe
2520	schtasks.exe
1848	schtasks.exe
2864	schtasks.exe
2760	schtasks.exe
2464	schtasks.exe
2948	schtasks.exe
2164	schtasks.exe
1308	schtasks.exe
800	schtasks.exe
3012	schtasks.exe
2580	schtasks.exe
1588	schtasks.exe
1616	schtasks.exe
2824	schtasks.exe
2648	schtasks.exe
2868	schtasks.exe
2484	schtasks.exe
2008	schtasks.exe
2876	schtasks.exe
2764	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
2916	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1712	taskhost.exe
1888	taskhost.exe
972	taskhost.exe
1976	taskhost.exe
2496	taskhost.exe
3060	taskhost.exe
2916	taskhost.exe
1692	taskhost.exe
2328	taskhost.exe
2132	taskhost.exe
1452	taskhost.exe
2116	taskhost.exe
2160	taskhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2916	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
Token: SeDebugPrivilege	1712	taskhost.exe
Token: SeDebugPrivilege	1888	taskhost.exe
Token: SeDebugPrivilege	972	taskhost.exe
Token: SeDebugPrivilege	1976	taskhost.exe
Token: SeDebugPrivilege	2496	taskhost.exe
Token: SeDebugPrivilege	3060	taskhost.exe
Token: SeDebugPrivilege	2916	taskhost.exe
Token: SeDebugPrivilege	1692	taskhost.exe
Token: SeDebugPrivilege	2328	taskhost.exe
Token: SeDebugPrivilege	2132	taskhost.exe
Token: SeDebugPrivilege	1452	taskhost.exe
Token: SeDebugPrivilege	2116	taskhost.exe
Token: SeDebugPrivilege	2160	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exe

description	pid	process	target process
PID 2916 wrote to memory of 1712	2916	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe	taskhost.exe
PID 2916 wrote to memory of 1712	2916	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe	taskhost.exe
PID 2916 wrote to memory of 1712	2916	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe	taskhost.exe
PID 1712 wrote to memory of 1468	1712	taskhost.exe	cmd.exe
PID 1712 wrote to memory of 1468	1712	taskhost.exe	cmd.exe
PID 1712 wrote to memory of 1468	1712	taskhost.exe	cmd.exe
PID 1468 wrote to memory of 1996	1468	cmd.exe	w32tm.exe
PID 1468 wrote to memory of 1996	1468	cmd.exe	w32tm.exe
PID 1468 wrote to memory of 1996	1468	cmd.exe	w32tm.exe
PID 1468 wrote to memory of 1888	1468	cmd.exe	taskhost.exe
PID 1468 wrote to memory of 1888	1468	cmd.exe	taskhost.exe
PID 1468 wrote to memory of 1888	1468	cmd.exe	taskhost.exe
PID 1888 wrote to memory of 1560	1888	taskhost.exe	cmd.exe
PID 1888 wrote to memory of 1560	1888	taskhost.exe	cmd.exe
PID 1888 wrote to memory of 1560	1888	taskhost.exe	cmd.exe
PID 1560 wrote to memory of 1988	1560	cmd.exe	w32tm.exe
PID 1560 wrote to memory of 1988	1560	cmd.exe	w32tm.exe
PID 1560 wrote to memory of 1988	1560	cmd.exe	w32tm.exe
PID 1560 wrote to memory of 972	1560	cmd.exe	taskhost.exe
PID 1560 wrote to memory of 972	1560	cmd.exe	taskhost.exe
PID 1560 wrote to memory of 972	1560	cmd.exe	taskhost.exe
PID 972 wrote to memory of 2112	972	taskhost.exe	cmd.exe
PID 972 wrote to memory of 2112	972	taskhost.exe	cmd.exe
PID 972 wrote to memory of 2112	972	taskhost.exe	cmd.exe
PID 2112 wrote to memory of 1440	2112	cmd.exe	w32tm.exe
PID 2112 wrote to memory of 1440	2112	cmd.exe	w32tm.exe
PID 2112 wrote to memory of 1440	2112	cmd.exe	w32tm.exe
PID 2112 wrote to memory of 1976	2112	cmd.exe	taskhost.exe
PID 2112 wrote to memory of 1976	2112	cmd.exe	taskhost.exe
PID 2112 wrote to memory of 1976	2112	cmd.exe	taskhost.exe
PID 1976 wrote to memory of 3068	1976	taskhost.exe	cmd.exe
PID 1976 wrote to memory of 3068	1976	taskhost.exe	cmd.exe
PID 1976 wrote to memory of 3068	1976	taskhost.exe	cmd.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	w32tm.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	w32tm.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	w32tm.exe
PID 3068 wrote to memory of 2496	3068	cmd.exe	taskhost.exe
PID 3068 wrote to memory of 2496	3068	cmd.exe	taskhost.exe
PID 3068 wrote to memory of 2496	3068	cmd.exe	taskhost.exe
PID 2496 wrote to memory of 2576	2496	taskhost.exe	cmd.exe
PID 2496 wrote to memory of 2576	2496	taskhost.exe	cmd.exe
PID 2496 wrote to memory of 2576	2496	taskhost.exe	cmd.exe
PID 2576 wrote to memory of 2768	2576	cmd.exe	w32tm.exe
PID 2576 wrote to memory of 2768	2576	cmd.exe	w32tm.exe
PID 2576 wrote to memory of 2768	2576	cmd.exe	w32tm.exe
PID 2576 wrote to memory of 3060	2576	cmd.exe	taskhost.exe
PID 2576 wrote to memory of 3060	2576	cmd.exe	taskhost.exe
PID 2576 wrote to memory of 3060	2576	cmd.exe	taskhost.exe
PID 3060 wrote to memory of 2988	3060	taskhost.exe	cmd.exe
PID 3060 wrote to memory of 2988	3060	taskhost.exe	cmd.exe
PID 3060 wrote to memory of 2988	3060	taskhost.exe	cmd.exe
PID 2988 wrote to memory of 2804	2988	cmd.exe	w32tm.exe
PID 2988 wrote to memory of 2804	2988	cmd.exe	w32tm.exe
PID 2988 wrote to memory of 2804	2988	cmd.exe	w32tm.exe
PID 2988 wrote to memory of 2916	2988	cmd.exe	taskhost.exe
PID 2988 wrote to memory of 2916	2988	cmd.exe	taskhost.exe
PID 2988 wrote to memory of 2916	2988	cmd.exe	taskhost.exe
PID 2916 wrote to memory of 2944	2916	taskhost.exe	cmd.exe
PID 2916 wrote to memory of 2944	2916	taskhost.exe	cmd.exe
PID 2916 wrote to memory of 2944	2916	taskhost.exe	cmd.exe
PID 2944 wrote to memory of 1656	2944	cmd.exe	w32tm.exe
PID 2944 wrote to memory of 1656	2944	cmd.exe	w32tm.exe
PID 2944 wrote to memory of 1656	2944	cmd.exe	w32tm.exe
PID 2944 wrote to memory of 1692	2944	cmd.exe	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
"C:\Users\Admin\AppData\Local\Temp\b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1996

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1988

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1440

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:2736

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:2768

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:2804

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:1656

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
17⤵
PID:596

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:2088

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
19⤵
PID:448

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:1576

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
21⤵
PID:1560

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:3040

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
23⤵
PID:496

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:2384

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"
25⤵
PID:936

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:2696

C:\Program Files\Microsoft Office\Office14\taskhost.exe
"C:\Program Files\Microsoft Office\Office14\taskhost.exe"
26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\da-DK\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\da-DK\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\da-DK\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\csrss.exe
Filesize
827KB

MD5
428bdccd4c240a253810e1c2a4ff8b78

SHA1
6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c

SHA256
b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

SHA512
81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat
Filesize
220B

MD5
905c2210da0e5524070ee8d7cc5f1f7e

SHA1
f962207e5353233718be208592649679b016ac5b

SHA256
fbd05fb4b7a1fa8ea2086b62e1dc83268076304a4febb8006c62e237d1f9c0d7

SHA512
c78c511fa11eb558a6d39f9ecc39c22de36c996861bbad3f2d01e030431efaedcbdcd08e18784673b1ed3686700d147024520c6f3ef0a97d10d6ab0016e5d087

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat
Filesize
220B

MD5
330fa0ae6a1ad8b5135072b1677e5585

SHA1
3f29d1a328a524eec06bf222b3720f20ca961b2e

SHA256
a8e9efcd93af23bf8f2cf24e017654204b890b3df84f4d3d66ca5485eacebfbd

SHA512
0cfbec81477d287a9d514e11b4a8af5cb1902152cf3d89f95a573317cc170ac51f4526c3387f5e7ee18e4557520e7a072063722b4d8ace21e35c40290d901960

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat
Filesize
220B

MD5
c8083a6bd460275e309d84b10c3741fa

SHA1
6729a029a0ee689636b7dc4fabc82d32a15d2035

SHA256
169a3b1399590b0d3a7d4a5ae5c427d807619da3e61917cca5a574c25f576234

SHA512
6ba9802fabad3fa5fb8ff7843bb9c37a3289cf8b05ce4c9611b76dea7899f2dced11b17033c7565d4495546ebc0c8129255d80f2926b2c9475507250591d0ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat
Filesize
220B

MD5
6a1d052264cd127c49de4fe7f23b0a66

SHA1
bd3245c9dcef43dda9c0552e76ec726245079165

SHA256
cf9927d5cfc74e1f57ced7044d85aabf43eb56fc22c8fc1449524fc25b0578e9

SHA512
2fd02978ffe46f90b227564f15a0984390fe046c5455e1c98816ebe654c7af5ee8d8a2c23caa4db907875e898ea046dc1bed6c9c00e29753db9314433ffa0672

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat
Filesize
220B

MD5
603de355dddbdb9f82cffc0ca98c7dce

SHA1
5a2fbf4665ac939acd1291c01866b6836eb5fb1a

SHA256
dba5d730f4d8d088c0aa651cc94d5d9ccf7751157c100da2c31513956495f24a

SHA512
196c50d56a1040a9a11460759f3925793493a327e042d5a795ebdf2b75229252426866cff8deb216b7d0a42e9ec6e67400a22510a37de48dda4af83a000de48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat
Filesize
220B

MD5
536f8e17d99f85dbac5d18acd60fed5b

SHA1
ad29138f452f3d7175dc4fc177a6485e11439472

SHA256
fc122906cfe9731b1d7de546cb8f855ffc1558e7605f8aacf3ac6e3f0f554cee

SHA512
59645964b6e3ee4dad82800c480309384d9ce17132a0abebdd726508e23c9d6269276ab2bbdff64c94e07025cd4be830401f5e25e7e773a714e26220def19bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat
Filesize
220B

MD5
0a41fd4c0ce3294e1da2f29729ac07e9

SHA1
4e64f25927c25c9cd19d5c88960e5790ca11a707

SHA256
0c290f93e35dc51da78df6002f4236f097418a630dfec6eaa67711824f98806c

SHA512
ef32bda5350c416592a0e3b830c491acee4894ce4fed89927140d8117e8547af66bea8fd7e1bac927cd2bde063cf21be3edb649b065827e4f2d89f631652b65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat
Filesize
220B

MD5
afb2d4f9706e68029fad21562996874e

SHA1
0a2a569b4836113afb532ec26bd873dd6d3c5b8f

SHA256
26b050223c5eff11a040f4a9f10a2098e1096ead28a6d6ee3f8a76fb6b3a64f8

SHA512
2fdc077112a7e9151997799974fb9fe46eaefb270240954106a818f82269bb41eaa907d900adbb96d3890ad31c9701756776abcabd9f9173ee62bf979d787d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat
Filesize
220B

MD5
3d73eaac6ce3b4568e88691e6edfaba3

SHA1
06d92732f563d5569544d56274a8163f4f9c9e7b

SHA256
6162d347babd4e525fbd1d81f1c11565763388a092c8c5476affb1ddc044c488

SHA512
6217d1dfec68419354a14a507f020ab2244c03d0d9a8289a826aa9038ec58215cab435d13f6d6a313d0fdde6a08d8d4a35d2c5fb57efef9081fbf7cc80d6a5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat
Filesize
220B

MD5
c01957be97d7b9d3179ded3cde7dbed4

SHA1
ca22dec9cfb565479ee6ca3ddc1db99297fc93b1

SHA256
ef79170a8069b29834dbf63b4546bf8623b2d1e40fcfd836cdcbc715519566ad

SHA512
3089785a14b888f5d3ea67cc711848290124a4de551daf4010045948bb2b046994c7b39ee8fc0a2fcea9be81ccec79d1a6dbe4b7d498d493f66039990b0582c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat
Filesize
220B

MD5
79ff9e6bc0c47367aaccc4cfcd33be72

SHA1
70bd636bafb6c048cc5e6491a90c18896ed77fcb

SHA256
42e179383f1f5b64f26527d755f9aa89aaac53d225fc3a7f75c39e0eab77c30d

SHA512
0fc1e6818c66447366260acf5d943fcc4b2444ecd42ed4e4c794ff8d3185738dbeaac901c177c099ebeb71bbafa645087194a474812ec9336c1dcb17467c2a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat
Filesize
220B

MD5
fa04d18552b308578f1774a6f9618270

SHA1
b18cdc43bdcc9ad46691e52ea70589f5836cb137

SHA256
16a4710d536e7bb9351e5bd3b29b1cffd76c4c75de6a0cc4cbfcae2556090ddc

SHA512
f85375bc7b947e5bc9464ef566e31bc7efb32627173a9f023b809b1b47bb84144f9efbd4770e3f57d6c3516a4150ec46bd7f3339b8be53cce26f487c8d8e912c

Download Submit
memory/972-56-0x0000000000300000-0x00000000003D6000-memory.dmp

Filesize
856KB

Download
memory/1452-112-0x0000000000F30000-0x0000000001006000-memory.dmp

Filesize
856KB

Download
memory/1692-91-0x0000000000040000-0x0000000000116000-memory.dmp

Filesize
856KB

Download
memory/1712-27-0x0000000000380000-0x0000000000456000-memory.dmp

Filesize
856KB

Download
memory/1888-49-0x0000000000970000-0x0000000000A46000-memory.dmp

Filesize
856KB

Download
memory/1976-63-0x00000000000A0000-0x0000000000176000-memory.dmp

Filesize
856KB

Download
memory/2116-119-0x0000000000180000-0x0000000000256000-memory.dmp

Filesize
856KB

Download
memory/2132-105-0x0000000000010000-0x00000000000E6000-memory.dmp

Filesize
856KB

Download
memory/2160-126-0x0000000001230000-0x0000000001306000-memory.dmp

Filesize
856KB

Download
memory/2328-98-0x0000000000F90000-0x0000000001066000-memory.dmp

Filesize
856KB

Download
memory/2496-70-0x0000000000370000-0x0000000000446000-memory.dmp

Filesize
856KB

Download
memory/2916-84-0x0000000000E70000-0x0000000000F46000-memory.dmp

Filesize
856KB

Download
memory/2916-0-0x000007FEF61B3000-0x000007FEF61B4000-memory.dmp

Filesize
4KB

Download
memory/2916-28-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-2-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-1-0x0000000000CA0000-0x0000000000D76000-memory.dmp

Filesize
856KB

Download
memory/3060-77-0x0000000000360000-0x0000000000436000-memory.dmp

Filesize
856KB

Download