dcrat | 9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2520-1-0x0000000000D30000-0x0000000000DB0000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000a000000023b6e-10.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 20 IoCs

pid	Process
1668	smss.exe
2556	smss.exe
3604	smss.exe
4976	smss.exe
972	smss.exe
2200	smss.exe
3640	smss.exe
3692	smss.exe
3508	smss.exe
5052	smss.exe
4960	smss.exe
3684	smss.exe
4848	smss.exe
3844	smss.exe
1624	smss.exe
948	smss.exe
4400	smss.exe
4364	smss.exe
1424	smss.exe
4560	smss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\smss.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\69ddcba757bf72	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\explorer.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Windows\InputMethod\CHT\RuntimeBroker.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File opened for modification	C:\Windows\InputMethod\CHT\RuntimeBroker.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Windows\InputMethod\CHT\9e8d7a4ca61bd9	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5000	PING.EXE
1352	PING.EXE
3412	PING.EXE
5028	PING.EXE
556	PING.EXE
2100	PING.EXE
3696	PING.EXE
880	PING.EXE
1092	PING.EXE

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1092	PING.EXE
5028	PING.EXE
2100	PING.EXE
3412	PING.EXE
1352	PING.EXE
3696	PING.EXE
880	PING.EXE
556	PING.EXE
5000	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
Token: SeDebugPrivilege	1668	smss.exe
Token: SeDebugPrivilege	2556	smss.exe
Token: SeDebugPrivilege	3604	smss.exe
Token: SeDebugPrivilege	4976	smss.exe
Token: SeDebugPrivilege	972	smss.exe
Token: SeDebugPrivilege	2200	smss.exe
Token: SeDebugPrivilege	3640	smss.exe
Token: SeDebugPrivilege	3692	smss.exe
Token: SeDebugPrivilege	3508	smss.exe
Token: SeDebugPrivilege	5052	smss.exe
Token: SeDebugPrivilege	4960	smss.exe
Token: SeDebugPrivilege	3684	smss.exe
Token: SeDebugPrivilege	4848	smss.exe
Token: SeDebugPrivilege	3844	smss.exe
Token: SeDebugPrivilege	1624	smss.exe
Token: SeDebugPrivilege	948	smss.exe
Token: SeDebugPrivilege	4400	smss.exe
Token: SeDebugPrivilege	4364	smss.exe
Token: SeDebugPrivilege	1424	smss.exe
Token: SeDebugPrivilege	4560	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3780	2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe	84
PID 2520 wrote to memory of 3780	2520	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe	84
PID 3780 wrote to memory of 1084	3780	cmd.exe	86
PID 3780 wrote to memory of 1084	3780	cmd.exe	86
PID 3780 wrote to memory of 556	3780	cmd.exe	87
PID 3780 wrote to memory of 556	3780	cmd.exe	87
PID 3780 wrote to memory of 1668	3780	cmd.exe	92
PID 3780 wrote to memory of 1668	3780	cmd.exe	92
PID 1668 wrote to memory of 532	1668	smss.exe	93
PID 1668 wrote to memory of 532	1668	smss.exe	93
PID 532 wrote to memory of 4768	532	cmd.exe	95
PID 532 wrote to memory of 4768	532	cmd.exe	95
PID 532 wrote to memory of 3696	532	cmd.exe	96
PID 532 wrote to memory of 3696	532	cmd.exe	96
PID 532 wrote to memory of 2556	532	cmd.exe	100
PID 532 wrote to memory of 2556	532	cmd.exe	100
PID 2556 wrote to memory of 1360	2556	smss.exe	101
PID 2556 wrote to memory of 1360	2556	smss.exe	101
PID 1360 wrote to memory of 3124	1360	cmd.exe	103
PID 1360 wrote to memory of 3124	1360	cmd.exe	103
PID 1360 wrote to memory of 456	1360	cmd.exe	104
PID 1360 wrote to memory of 456	1360	cmd.exe	104
PID 1360 wrote to memory of 3604	1360	cmd.exe	105
PID 1360 wrote to memory of 3604	1360	cmd.exe	105
PID 3604 wrote to memory of 4856	3604	smss.exe	106
PID 3604 wrote to memory of 4856	3604	smss.exe	106
PID 4856 wrote to memory of 1912	4856	cmd.exe	108
PID 4856 wrote to memory of 1912	4856	cmd.exe	108
PID 4856 wrote to memory of 2992	4856	cmd.exe	109
PID 4856 wrote to memory of 2992	4856	cmd.exe	109
PID 4856 wrote to memory of 4976	4856	cmd.exe	110
PID 4856 wrote to memory of 4976	4856	cmd.exe	110
PID 4976 wrote to memory of 2700	4976	smss.exe	111
PID 4976 wrote to memory of 2700	4976	smss.exe	111
PID 2700 wrote to memory of 1260	2700	cmd.exe	113
PID 2700 wrote to memory of 1260	2700	cmd.exe	113
PID 2700 wrote to memory of 2100	2700	cmd.exe	114
PID 2700 wrote to memory of 2100	2700	cmd.exe	114
PID 2700 wrote to memory of 972	2700	cmd.exe	117
PID 2700 wrote to memory of 972	2700	cmd.exe	117
PID 972 wrote to memory of 3512	972	smss.exe	118
PID 972 wrote to memory of 3512	972	smss.exe	118
PID 3512 wrote to memory of 2172	3512	cmd.exe	120
PID 3512 wrote to memory of 2172	3512	cmd.exe	120
PID 3512 wrote to memory of 1572	3512	cmd.exe	121
PID 3512 wrote to memory of 1572	3512	cmd.exe	121
PID 3512 wrote to memory of 2200	3512	cmd.exe	122
PID 3512 wrote to memory of 2200	3512	cmd.exe	122
PID 2200 wrote to memory of 3472	2200	smss.exe	123
PID 2200 wrote to memory of 3472	2200	smss.exe	123
PID 3472 wrote to memory of 3024	3472	cmd.exe	125
PID 3472 wrote to memory of 3024	3472	cmd.exe	125
PID 3472 wrote to memory of 5000	3472	cmd.exe	126
PID 3472 wrote to memory of 5000	3472	cmd.exe	126
PID 3472 wrote to memory of 3640	3472	cmd.exe	127
PID 3472 wrote to memory of 3640	3472	cmd.exe	127
PID 3640 wrote to memory of 1708	3640	smss.exe	128
PID 3640 wrote to memory of 1708	3640	smss.exe	128
PID 1708 wrote to memory of 1668	1708	cmd.exe	130
PID 1708 wrote to memory of 1668	1708	cmd.exe	130
PID 1708 wrote to memory of 3924	1708	cmd.exe	131
PID 1708 wrote to memory of 3924	1708	cmd.exe	131
PID 1708 wrote to memory of 3692	1708	cmd.exe	132
PID 1708 wrote to memory of 3692	1708	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yw42pgrUyU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1084
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:556
- - C:\Program Files\Internet Explorer\SIGNUP\smss.exe
    "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zvVxKkmDS4.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4768
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3696
    - - C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:456
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mup9OI6yD3.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2992
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YrEnXzY23X.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JanKBv1Gj5.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5000
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M4O85ItfzR.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lf01uW6718.bat"
        18⤵
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XcOf3EZBsc.bat"
        20⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat"
        22⤵
        
        PID:4796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat"
        24⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4844
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat"
        26⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQAtPl7GpD.bat"
        28⤵
        
        PID:748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3412
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lf01uW6718.bat"
        30⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n8fHs36pOy.bat"
        32⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3696
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat"
        34⤵
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TFXmW6rvw2.bat"
        36⤵
        
        PID:4700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:904
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat"
        38⤵
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2696
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\81mmE0Ljqu.bat"
        40⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:5080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1092
        
        C:\Program Files\Internet Explorer\SIGNUP\smss.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\smss.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOZXYTZLgh.bat"
        42⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
0f31e501ab247a1b471e8e69930fda3d

SHA1
cc4a26314aad742126f6df0e92b777a786eade0b

SHA256
f6562e9acf0bb58a78a8ad59d5bc88bdf7a2508b84745605dfc28a19f60e4742

SHA512
65c14701fa94622aca52146b0f2d501ac2acdd4acd2a4c666903a800f26310832404a66478f861dd9b10a0a74d99e2b683fb73aef5d153b7ac26aabb96cfea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\81mmE0Ljqu.bat

Filesize
178B

MD5
c4b898226603160022640473bcde40cd

SHA1
64aa74902ee4fad76a441ed123d9e73812f73de7

SHA256
5e6b82f73856ea46adcf6035a80a94b0e52dacd13dc20c2ac6f7fc1e19b91e88

SHA512
83079cff996cbaa1309bd1995de6842fdab4234602d2895a468f63e338c9118812391e58c88b691bdca8cc5ded8ce38459896357658fe0d703a04d47b28b4178

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat

Filesize
226B

MD5
52cf694bb3a007ba31c10d4058e3da22

SHA1
820f2fd410a87cf5c1e853fde24b06aa97f10aeb

SHA256
78e1a6d60d2a0b87cd3b1a6276cba6268a78990cdd0e12c04c7b0a0ae68669ff

SHA512
9b47407714ba002d493f0a031941d02b748974e844d4f10ae4d2e9cd36649905bb20e1ca9ce4088ff321c45b4bfb5c0426376d84e2a82fb6456a055cac3f16aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat

Filesize
178B

MD5
cdf054243b2b36ce88a41b43cc177489

SHA1
e1e46ee4f5eafeb2d6dc62f36bd80c62952205b8

SHA256
7264ff4a948ed44c45efabcf93d3f2a6d4271440d08d2aee82391149c7a17f30

SHA512
16c5a67b31129639ab84939dfa5c6fcc82ce713402f85090897c1ecf7f00e61eb64cc1ec78575b3c755bc8e336de53cb34400f24c1959bf6880797c991d6dc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat

Filesize
226B

MD5
ddc47a4d5d57e8d643df0a45f16f9af1

SHA1
ac9117d9c8158d4a14db49f2e97e8011716576a9

SHA256
6e6e11084994690f9e20fbe15cb518c0538505f46f8baa2d4d64652e872c7d9e

SHA512
d6e22491114705e02834f2ab788148aec253c4f5a32ab8ba4cca8b5362889e3441c441f3259911f0afdf1d9bbb81d94882668df9195d797d10cf1d173cba8920

Download Submit
C:\Users\Admin\AppData\Local\Temp\JanKBv1Gj5.bat

Filesize
226B

MD5
477dd64bb433cec4ffefef64a7f31ef1

SHA1
06c52d2a75fe14ebb9d75966e04f46b911027bad

SHA256
99a2c0c0d3f6ad8b45766c98706b13695603b73986e562a187ac9386968a4f66

SHA512
3a1f0ae7a64d7ce0f2ca691231ae15c0053441ae89594711db8930ab84d840d0fecb0fea66d2074f4de3277bc78608cfb30cf4dcf08d5ed10df535965154b744

Download Submit
C:\Users\Admin\AppData\Local\Temp\M4O85ItfzR.bat

Filesize
226B

MD5
65d2d395f6ba287c0f9d1becf06f38ce

SHA1
790c45108b56a4d505c8bb9bbaf47b3c07390a29

SHA256
be18eec456f8371c2a65257455ed60f4bba1d7b839d658944915930bf23868c3

SHA512
c29b3b549d28267000fd76d7d780040adf3105e4b279154fbe4393e7dfc37d065f1d20302d79064fedb7212e8ec39029392ffd4b9494c5f6d6f7e0817ecc7628

Download Submit
C:\Users\Admin\AppData\Local\Temp\TFXmW6rvw2.bat

Filesize
226B

MD5
5ed2692af4a06ad023ff60e142ce0fe8

SHA1
2def2efbd33f51182e7b6c67fa6ccb86c6ae1b29

SHA256
6becb5ce2a92db028a1672689586769c071484a3a4e8f49815dab90741ac48f0

SHA512
c99e91822b71913b5b4f3dc9231a205b4e6b09a4b385cd721eb3e6383f483b473d51d6a690ff8cd73dbc98ee040c3c41f989f9387ed608ff2415635ade952e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOZXYTZLgh.bat

Filesize
178B

MD5
d897dae631654d610da824bb7aa00abf

SHA1
72bbdb72dc7a1cea1d069e4130d7db7997c54d20

SHA256
d6c059042bb5cccd887147e4c19f9b03b15550e04ddb14f5e74783d05feb2e53

SHA512
f8bd51460116f62d9be3fabe0a26cfdcf8203bf5cb18086c40fe6088a43077b45d8fd0afdc0f39417e685eb9bf1ec3e9f99b70852212208d8f6434e17b9562bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcOf3EZBsc.bat

Filesize
178B

MD5
7f49b87e6907c5ba85a824f82ac137be

SHA1
dbe5e4f2ab96a7b797ffe1ed2949476da18dc08d

SHA256
7389c99d78bef511c76342aefc9a758a13324fdbd65d6b287e4651eb2003ba16

SHA512
12df350078d6be020ea3e7a47ea4579ca84e8c7152493c65827d47394239e306a398de1193b355cd38fe020131ce743e5afc67ec1104871168ea38fe3a4f9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\YrEnXzY23X.bat

Filesize
178B

MD5
78c3b0561c3c3c9759bd2e1c283da0ee

SHA1
4c8789c3cdcc1c611ebab8a37cb9f9eeccd1c9b7

SHA256
6bc5ae1a9dec937a00c53cca7ff0cbebc636e8dd22cf0beee715fee7430da3f0

SHA512
6b616e06a66be66f50759acc7f6eebf0dde118d2fe1c5bb477c20ea51182a477eba9a1b01cc1639d9e06f42e5199fa7c390b431d6080773dfa469459c4b0ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yw42pgrUyU.bat

Filesize
178B

MD5
931541f8121d1980ace5cc03e7296726

SHA1
73cd8cfda63f1321f2fa220df286ff76661e33ca

SHA256
6798ca59071f1d0b31637f26d5d5d9e4f18a00baab5367678853c60dc92725e1

SHA512
817ff8641a5448ab998231488968e1cbd4b63c124a02210356db7206037c726daaf6ad614088a4260d067e9fb646d9d0c31e0754df3f7223cf6dd9336c0204ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat

Filesize
226B

MD5
9a5f21f97d8728e348822c784dd48b6f

SHA1
4ffc4c6f6d7b30bd8924d5cf1ee8d2a593cd203d

SHA256
cf5a87280f0183cdfd2ed6d35310c83a156509fb6d742eb6fb917e7f0c105f46

SHA512
018c2cb9a1f1732350556c4332919e1f5775d53b508c7a81cd3cc709dec01a15c59bbd654ee8606e5731f568664768daa5d767514ec72143ccc1d58c06899039

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat

Filesize
178B

MD5
3c9c848d699b62d1b661429dda1881f4

SHA1
76371bfe04f0db95c3c6000efc1d6818fb58c7c6

SHA256
02ad71c369ee5dbc4c8cb35ff31668995b835a5edcd50bf79e63c69b1327998f

SHA512
089b1067a90cd0d5ab750772fff2277968aaec3ad2a1d4f0aefbc0ad385e1badb02937ae744051ecfd068c14a6fd35cf7d5ec9eb28d16b584e9b3e70361e5302

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat

Filesize
226B

MD5
fb711af4886ba5d40a852d815c15883d

SHA1
e1f3b8d45ce386b8d4256e80360ad9e5c72db56f

SHA256
9a9ea72dbee407a21b6ccf42d74fd0da6e1dc8f2104118d47b1bd3a3b8f572a2

SHA512
ed4e7721929d3f2d25ec8de93e442b26d585f52febabb90e828fc349940ec88bf87c949c44ec6f517cc7bfd2dcd3620e28efd3229b3593e521f094fa920dbd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAtPl7GpD.bat

Filesize
178B

MD5
7570fbf0dc9ab0ef4d2de912975f5730

SHA1
6655a49bf794ac7e466a6acfb2018206eea15708

SHA256
6724391cdecf621721d83c68dd8157951f353ba964c86986243114543ad68ce9

SHA512
253deb95ccbb1949552f0ae63ddfdb425d9aa28ab0298170c466f84c29019702235a73045ec9561d3bf0139055690588ff2a7477f772044050f14bf4567fa914

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf01uW6718.bat

Filesize
226B

MD5
571ac2e252fc08fdf2b51da297e6bc08

SHA1
b0f1cfa49fbb46a87e5e868bb4cd4ce8238d3e0e

SHA256
0253946012d67b50a3459680559d9a2524eb99672012c460d30f6d074b056c08

SHA512
6fedbb4cce6b069c7e7b3dbe410bd8ed5649d4b910ac13a72a986e8902198f9a8b0656f10faa59c9572c68186598189790bdfd2ca1363d05289b2bfbb2429f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\mup9OI6yD3.bat

Filesize
226B

MD5
caeab2492b0f27feb52fa457562c0660

SHA1
7323dabcb5a6631a2f48605a85f3eeb92cd7f13f

SHA256
dd84f5259ce29a98bfcc77a2818f011c949baf41e3b19ada8bf74f54bff4ec61

SHA512
83d34ea41c193bac364f4b3e7a901a2bc934642cfb5251a62cfec5243c4c791af67b0a97bb9ab419836a3d250ca268b1863be1557a467bfb65c0b80622ab7086

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8fHs36pOy.bat

Filesize
178B

MD5
7f7cfd74154c8faa4e692f515502f330

SHA1
7d7f34ebfd19121fd6002bfb376caf7828a68fae

SHA256
c6b9b1ee00e6c19fcdd9009a3ad44cd5c5a382ccecb8d416c8c96ddc32a26f97

SHA512
b63c410c9333a1164d754fac0a2b41e63181cea20cb3317f5d87d8b6ed93a43c87f7ca940490d86110e25525443e27df6e0904b42ea5a67bed73f6766edee499

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvVxKkmDS4.bat

Filesize
226B

MD5
7875759d63eb90900596398b5de5d8f4

SHA1
4c15975413bcbbe3cb4c394fdb8efb7c3e985418

SHA256
d3b5269ae7b2fdfaa1273ec3be99918b40c69585bda56290f3d8c04c6a85f134

SHA512
f90a7700f1a5fee5148a7f6b1e5a1696c968128ebe746868a73c9a7d30db472ab20c971397be90ee4235a01902b2452a96dbb7c611085d2c6069c4338fe9a5bf

Download Submit
memory/2520-0-0x00007FFBB9E73000-0x00007FFBB9E75000-memory.dmp

Filesize
8KB

Download
memory/2520-19-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/2520-12-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/2520-1-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download