dcrat | a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Size

1.5MB
MD5

9770460ff21f1c18e4ca3e0bfe3767e0
SHA1

67aaf668b810575f2dde75bac1fbb40c602c2eae
SHA256

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2
SHA512

c8a1718efb86e3353b0a991b3c57a531769cac3a47411a0e8e07b9441bdced564a1e90664c8ac3a52c76a0415b19bd61b8f82a1a53da171216ad2bf278bf87d8
SSDEEP

49152:/AfYoKy2QirSS9NqgWw8L0M5LLjfan+2QAbv+:yobSS/qHw8oWjf1w+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

.NET Reactor proctector 53 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/1912-2-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/1912-14-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4108-20-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4108-21-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4108-27-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4364-31-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4364-32-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4364-38-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2312-40-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2312-41-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2312-42-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2312-48-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4912-50-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4912-51-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4912-52-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4912-58-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3052-61-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3052-62-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3052-68-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5064-70-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5064-71-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5064-72-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5064-78-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4440-81-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4440-82-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4440-88-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2956-92-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2956-91-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2956-98-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4464-101-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4464-102-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4464-108-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5040-110-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5040-111-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5040-112-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/5040-118-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/212-121-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/212-122-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/212-128-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2980-130-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2980-131-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2980-132-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/2980-138-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4956-140-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4956-141-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4956-142-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/4956-148-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3452-151-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3452-152-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3452-158-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3612-161-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3612-162-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor
behavioral2/memory/3612-168-0x0000000000AA0000-0x0000000000F10000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

Processes:

pid	Process
1912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4108	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4364	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2312	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3052	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
5064	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4440	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4464	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
5040	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
212	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2980	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3452	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3612	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3612	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exechcp.comcmd.exePING.EXEa85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exechcp.comcmd.exePING.EXEchcp.comcmd.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exew32tm.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exechcp.comw32tm.execmd.exew32tm.exechcp.comw32tm.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exePING.EXEchcp.comcmd.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exew32tm.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exePING.EXEcmd.execmd.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.execmd.exePING.EXEa85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.execmd.exechcp.comcmd.exePING.EXEcmd.exew32tm.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exechcp.comw32tm.exechcp.comw32tm.exePING.EXEchcp.comw32tm.exechcp.coma85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exechcp.comchcp.comchcp.comchcp.comchcp.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3420	PING.EXE
1084	PING.EXE
1784	PING.EXE
1776	PING.EXE
4880	PING.EXE
2960	PING.EXE
4932	PING.EXE

Modifies registry class 16 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4932	PING.EXE
3420	PING.EXE
1084	PING.EXE
1784	PING.EXE
1776	PING.EXE
4880	PING.EXE
2960	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	1912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	4108	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	4364	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2312	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	3052	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	5064	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	4440	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	4464	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	5040	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	212	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2980	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	4956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	3452	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	3612	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

pid	Process
1912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4108	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4364	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2312	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3052	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
5064	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4440	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4464	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
5040	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
212	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2980	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
4956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3452	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
3612	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exew32tm.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exew32tm.exea85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.execmd.exe

description	pid	Process	procid_target
PID 1912 wrote to memory of 3636	1912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	82
PID 1912 wrote to memory of 3636	1912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	82
PID 1912 wrote to memory of 3636	1912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	82
PID 3636 wrote to memory of 5040	3636	cmd.exe	84
PID 3636 wrote to memory of 5040	3636	cmd.exe	84
PID 3636 wrote to memory of 5040	3636	cmd.exe	84
PID 3636 wrote to memory of 4880	3636	cmd.exe	85
PID 3636 wrote to memory of 4880	3636	cmd.exe	85
PID 3636 wrote to memory of 4880	3636	cmd.exe	85
PID 3636 wrote to memory of 4108	3636	cmd.exe	93
PID 3636 wrote to memory of 4108	3636	cmd.exe	93
PID 3636 wrote to memory of 4108	3636	cmd.exe	93
PID 4108 wrote to memory of 4444	4108	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	94
PID 4108 wrote to memory of 4444	4108	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	94
PID 4108 wrote to memory of 4444	4108	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	94
PID 4444 wrote to memory of 536	4444	cmd.exe	96
PID 4444 wrote to memory of 536	4444	cmd.exe	96
PID 4444 wrote to memory of 536	4444	cmd.exe	96
PID 4444 wrote to memory of 4252	4444	cmd.exe	97
PID 4444 wrote to memory of 4252	4444	cmd.exe	97
PID 4444 wrote to memory of 4252	4444	cmd.exe	97
PID 4252 wrote to memory of 2276	4252	w32tm.exe	98
PID 4252 wrote to memory of 2276	4252	w32tm.exe	98
PID 4444 wrote to memory of 4364	4444	cmd.exe	99
PID 4444 wrote to memory of 4364	4444	cmd.exe	99
PID 4444 wrote to memory of 4364	4444	cmd.exe	99
PID 4364 wrote to memory of 824	4364	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	100
PID 4364 wrote to memory of 824	4364	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	100
PID 4364 wrote to memory of 824	4364	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	100
PID 824 wrote to memory of 2700	824	cmd.exe	102
PID 824 wrote to memory of 2700	824	cmd.exe	102
PID 824 wrote to memory of 2700	824	cmd.exe	102
PID 824 wrote to memory of 2960	824	cmd.exe	103
PID 824 wrote to memory of 2960	824	cmd.exe	103
PID 824 wrote to memory of 2960	824	cmd.exe	103
PID 824 wrote to memory of 2312	824	cmd.exe	104
PID 824 wrote to memory of 2312	824	cmd.exe	104
PID 824 wrote to memory of 2312	824	cmd.exe	104
PID 2312 wrote to memory of 4276	2312	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	105
PID 2312 wrote to memory of 4276	2312	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	105
PID 2312 wrote to memory of 4276	2312	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	105
PID 4276 wrote to memory of 4504	4276	cmd.exe	107
PID 4276 wrote to memory of 4504	4276	cmd.exe	107
PID 4276 wrote to memory of 4504	4276	cmd.exe	107
PID 4276 wrote to memory of 3076	4276	cmd.exe	108
PID 4276 wrote to memory of 3076	4276	cmd.exe	108
PID 4276 wrote to memory of 3076	4276	cmd.exe	108
PID 3076 wrote to memory of 2804	3076	w32tm.exe	109
PID 3076 wrote to memory of 2804	3076	w32tm.exe	109
PID 4276 wrote to memory of 4912	4276	cmd.exe	111
PID 4276 wrote to memory of 4912	4276	cmd.exe	111
PID 4276 wrote to memory of 4912	4276	cmd.exe	111
PID 4912 wrote to memory of 4508	4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	112
PID 4912 wrote to memory of 4508	4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	112
PID 4912 wrote to memory of 4508	4912	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	112
PID 4508 wrote to memory of 1516	4508	cmd.exe	114
PID 4508 wrote to memory of 1516	4508	cmd.exe	114
PID 4508 wrote to memory of 1516	4508	cmd.exe	114
PID 4508 wrote to memory of 4932	4508	cmd.exe	115
PID 4508 wrote to memory of 4932	4508	cmd.exe	115
PID 4508 wrote to memory of 4932	4508	cmd.exe	115
PID 4508 wrote to memory of 3052	4508	cmd.exe	117
PID 4508 wrote to memory of 3052	4508	cmd.exe	117
PID 4508 wrote to memory of 3052	4508	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WKhls1MESA.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5040
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iN31mkcLsQ.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:536
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        5⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        7⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        9⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat"
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        11⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vBpF9HAQp1.bat"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        13⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3GBX8grFKM.bat"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        15⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        17⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pKJ6edTRWc.bat"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        19⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qZ8E8OSIiX.bat"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        21⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uw07fWAZe6.bat"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        23⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aHhknKvWN5.bat"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        25⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7yfvayqnt7.bat"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        27⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        29⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        31⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aHhknKvWN5.bat"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe.log

Filesize
1KB

MD5
aff6edc7361636c338b687796dc78183

SHA1
ffa7f72ce7596bd7004c3222b40307cdf6f39602

SHA256
833de85f153ce5265b943d01238ef6eef95499d6421c1c45998cd836f358f47d

SHA512
6dfd9b19d9e33958bc97cefd4c0b2ab4cd2d55606fad584a2791510e6424f29b8caa7d6ea64cf4f43a4ae6fda66a81b88ce27e28c293e11fa83b145bf8b4f4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\3GBX8grFKM.bat

Filesize
231B

MD5
733e821801e75f1ffa78f2154fc4ade7

SHA1
1faceb593680db840f4c3e282aa089b590305a19

SHA256
9486589f2f87280e35ba953289b00ad6d01bef6520718971c915601a6056ef4a

SHA512
7948e1d489c83d7eb343866db97cdaf4fc5c366276c7b0723d6b8c3edbe18879a760d0c3826d73406b40487f611f51b5e07da5ada181cf139ad1b4cf555931b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7yfvayqnt7.bat

Filesize
279B

MD5
40a9a117017c88e770bd5aa667603004

SHA1
b89779ca5a215f60f7016f5ba5d63a945383180b

SHA256
84e56d29f984c24c405ddd351a62f4880efe4f061f8db31e02c520ad96463594

SHA512
6dd5bbe9220db3df6070a5da03e9d0458ad1797d243da6feb1bfef417eb1603bafd9e2fb83b6030f0fffb740d8b4be46be5ab951704e128270f0bed259343ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat

Filesize
231B

MD5
43f43440273f7d2a21157d4f5014f834

SHA1
6eedfbeb5243e502e144b251b61b8382776781a8

SHA256
7c854c73643fd5b54e74c2ad68d8ddcbe6a8affa18573355185320bfef249c62

SHA512
c3f2094171df7a1f77edc792af81c06ae80f804f2984c6afaaf81df05e78c1423cc4846252c27c45c2af9eeedff4f2acf44c6b8ec855e48bb5574d61083b05a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat

Filesize
279B

MD5
e176cf2f27ce6d9297df7fd70e541c8e

SHA1
4eb58788c39fb9ea1c4b4a408d899388b514bb0c

SHA256
74b75c6551488f5458711ce1dd10ccbd25831b259980d1c6d29621759b86b8ab

SHA512
165c9d4f4b4d8a787811e53b524ab6fc2d5692f7a725ad9f7f4c5889375556a37b2405c40fa85986deb8fb5e00761f3f0cda1a9eb907f4b693b0adf6274f827a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat

Filesize
231B

MD5
9f40ca2b1bab2c06f25228c854324c31

SHA1
b6a3b9c1b5228bb9567db81f98feb8a399d59bfc

SHA256
3e2c44fcdd64d9880e9dc85d11ea39e8cd3503043516500aa786275b75007f8f

SHA512
39b5d5cd0d87ea9a794d3d6650601c60a9e88bf01353677852c373ded8f6d095f2a68ab2714c7886a43a1eb0bf401b90182a98295f1ee4eaa1ca24024d37c985

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKhls1MESA.bat

Filesize
231B

MD5
9d8b80fa38cbab5c5ab2ea8073996009

SHA1
b10fd3c29a32cb9c735c6f0e584ed1a2e2866436

SHA256
43cc6822aef4ac2f6a148310268a2698b03574fa019eb88891ab9406f11c4640

SHA512
36316ec2b39ea1eea0e336e5ff16b99e5ac803a6fa864ab3bbff119a226cfc3764bf4e8d02a734222b20b146cf0f47de2c24ad24d5b2b03e8514a681ad05625a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aHhknKvWN5.bat

Filesize
279B

MD5
ed13beb905d52bfa67d4638a5e4652dc

SHA1
4e53417c03b0abf2883dc665b4421960a4ccf341

SHA256
a33e775e839684d70f61e6866d11daddb9546a62276df4b22e7cd8c7f72cb32b

SHA512
7719effcaf40f7ac4af2625490e87578d01d9abfdb32e7cb52f0ce679a981b163ef4c820a19b0b7f38e9aa6ac3949691316bd8925c6a37191bac63ffa1c6ebea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iN31mkcLsQ.bat

Filesize
279B

MD5
f7cbc85834a456a669d09e8551872415

SHA1
8309e8c3a2f2535cd7a870ead0758cfb2341c4be

SHA256
c941fdeb2e2b577a8e89e79b38b3ba80a7c4a1b99df4794fcaab69530d9da041

SHA512
2ffb728abeb7aaadc8ad8e2c00ee812d38036ac33058178d31683f50fc11b287e02794fa27413e1333a99da26846b0d5aab3b219f9a51ce5af5b519a5a5d0e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat

Filesize
231B

MD5
57fe21792012c5b7b571adb07768cac7

SHA1
1d01f9ab66cbdb3cf32817f1da905c22dc7c7a7e

SHA256
9acdb71ca97b9020bfc5acd01e6eea57f799a2364d21a5101ab1e93176c14498

SHA512
1bf5ad81c08552fda3f7faef264ff40517ce5889d4ebf884bed7f8874c6fad891eb7bbf4e427958d0cc63889b039a30d627cf8efb393049dec9ca6a24b95fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKJ6edTRWc.bat

Filesize
231B

MD5
24c4a499438bea6309d67f22e890d7cc

SHA1
b1a43ad42df4ee74cf1744bbc83142b9fdb318d1

SHA256
411ea76a5b0bc6b0cdfb69e6d9d853e4153aba0d17c9ee47f7ebfe24e0e3d6d5

SHA512
e6dea00e6f72b7f91c3c44e6541207d4b69b25d0c18f4e084cdc6114a0dcb6fb76eb3cded8675281af63e02f4c25831415f79096e813489567d10f7a51f5ca6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZ8E8OSIiX.bat

Filesize
279B

MD5
8ef5104259cc7119f355f348c4eed705

SHA1
dc152892434412841abd046785163fd5ceafdcf8

SHA256
baebb1665e85f630d573ece37388dea04c225e6b081e1e640d773461526f38ae

SHA512
ededc457647ee655f17c2fcf10b813469969b37c331b117dddd48376568b011bbeaa6d5d89114f2e6dd0ccea9fdff21d1884722be2f935e4a7473955b75e0ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat

Filesize
279B

MD5
bba675df7243f90e188f831ccdd5fd1c

SHA1
aa28d2c242d78375846be71d65ae4f8522ccaf4e

SHA256
c9986a24074048e270baf42dc352e0b4e55ae3db452d0b3150eb333e05a8249b

SHA512
929959aa9cea85552ae26215e1b2019de49973e04b6024aba71f7bce57c83ca1875e75f73581beb230b5e019fb16234905f09fe48541039cb9e78a24f37589d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uw07fWAZe6.bat

Filesize
279B

MD5
c2482418c911ae6b19e815b4eed023dd

SHA1
ef1973e8f77f9808cb986943f8d9562f62db4112

SHA256
031a9b4b23130db3a8c9bd16e6885c7b79e8851e9eba1363f2c6e71c883aef4a

SHA512
8ea7ee6926f4f2ddc0a3bf5218b45ea60297280d4f32c334d316a02798b03f1b2fd21261d01df8f3b957e1e6bd0e80f6d8929808fa4a2a704d7a4fec46371f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vBpF9HAQp1.bat

Filesize
231B

MD5
94fa83b7b5d2db0159f4035c3e4dd464

SHA1
78a7a50dbb79771a7a56cfd6e12f9269b063af9b

SHA256
5bb272e5a19001b635ee64211cbde77aaa4e3751f395ab2bf615185aa7f0a7c7

SHA512
077f6ea3da4a8920676fdb5cccf3211891cd2f0a8618122c0e48130e22392b44a882f4421e5a9a7b7a51519aed9bfd10099a1dbcfea67e66dddeb597d1212c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat

Filesize
279B

MD5
411337950083c59ff27d7a8e3584a2cc

SHA1
dfff40ea0ff315de9dab2772264853d79aaa4704

SHA256
232796a48a8e8b3966eebed1f8f6b8d47be2d9cf4b21fb5944a972aa33f3904e

SHA512
8363a07dce9137028cc01b2dcad68101a52f1d2e2d89b4fc4b024d4aef99f202802835b90782eb54fdd33d88bd53668411a6737ffd191cf8f88d13e717b07073

Download Submit
memory/212-122-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/212-128-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/212-121-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/212-120-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/1912-14-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/1912-0-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/1912-4-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-3-0x0000000007840000-0x0000000007DE4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-2-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/1912-1-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/1912-15-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2312-40-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2312-42-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2312-48-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2312-41-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2956-92-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2956-90-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2956-91-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2956-98-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2980-138-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2980-132-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2980-131-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/2980-130-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3052-68-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3052-62-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3052-61-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3052-60-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3452-158-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3452-152-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3452-151-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3452-150-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3612-160-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3612-161-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3612-168-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/3612-162-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4108-27-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4108-17-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4108-20-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4108-21-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4108-19-0x00000000746D0000-0x000000007477B000-memory.dmp

Filesize
684KB

Download
memory/4108-28-0x00000000746D0000-0x000000007477B000-memory.dmp

Filesize
684KB

Download
memory/4364-31-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4364-38-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4364-30-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4364-32-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4440-81-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4440-88-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4440-80-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4440-82-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4464-102-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4464-101-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4464-100-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4464-108-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4912-50-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4912-58-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4912-51-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4912-52-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4956-140-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4956-141-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4956-142-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/4956-148-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5040-110-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5040-112-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5040-111-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5040-118-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5064-78-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5064-72-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5064-71-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download
memory/5064-70-0x0000000000AA0000-0x0000000000F10000-memory.dmp

Filesize
4.4MB

Download