dcrat | b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

6.5MB
MD5

dd045e7803ef620069b0e90d9128375f
SHA1

983de7fc238cac0de7b2d74b86617501dbbfc9c6
SHA256

b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4
SHA512

3ef80acad4b09dbb84835520f249c3970f0574156e77155f496dddb46927d407773315f34c4c38277e34825ac6401159b5df06776140b20fb9f820f0a4859886
SSDEEP

196608:nuaAxSTZLvD6/x1R92cJUMo7xS6eUEMW42:nRAh5n9/GMolS6eyWZ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2900	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2900	schtasks.exe	39

DCRat payload 14 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000001867d-42.dat	family_dcrat_v2
behavioral1/memory/2620-47-0x0000000000400000-0x00000000004FD000-memory.dmp	family_dcrat_v2
behavioral1/memory/1788-62-0x00000000000F0000-0x00000000001B6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2436-88-0x0000000001300000-0x00000000013C6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2560-109-0x0000000000110000-0x00000000001D6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2052-120-0x00000000012E0000-0x00000000013A6000-memory.dmp	family_dcrat_v2
behavioral1/memory/1640-131-0x00000000002A0000-0x0000000000366000-memory.dmp	family_dcrat_v2
behavioral1/memory/1292-142-0x0000000000360000-0x0000000000426000-memory.dmp	family_dcrat_v2
behavioral1/memory/2040-153-0x0000000001190000-0x0000000001256000-memory.dmp	family_dcrat_v2
behavioral1/memory/2248-214-0x00000000001D0000-0x0000000000296000-memory.dmp	family_dcrat_v2
behavioral1/memory/3064-225-0x0000000000DE0000-0x0000000000EA6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2172-236-0x0000000000290000-0x0000000000356000-memory.dmp	family_dcrat_v2
behavioral1/memory/1960-247-0x0000000000E70000-0x0000000000F36000-memory.dmp	family_dcrat_v2
behavioral1/memory/1784-258-0x0000000001060000-0x0000000001126000-memory.dmp	family_dcrat_v2

Executes dropped EXE 21 IoCs

pid	Process
2784	svchost.exe
2568	explorer.exe
2648	yAMgrsRV0v.exe
1788	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe
1776	M9OpOHJOcY.exe
2560	M9OpOHJOcY.exe
2052	M9OpOHJOcY.exe
1640	M9OpOHJOcY.exe
1292	M9OpOHJOcY.exe
2040	M9OpOHJOcY.exe
2244	M9OpOHJOcY.exe
2068	M9OpOHJOcY.exe
1532	M9OpOHJOcY.exe
2612	M9OpOHJOcY.exe
1420	M9OpOHJOcY.exe
2248	M9OpOHJOcY.exe
3064	M9OpOHJOcY.exe
2172	M9OpOHJOcY.exe
1960	M9OpOHJOcY.exe
1784	M9OpOHJOcY.exe

Loads dropped DLL 5 IoCs

pid	Process
2708	CrackLauncher.exe
2652	Process not Found
2708	CrackLauncher.exe
2620	RegAsm.exe
2620	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2784	svchost.exe
2784	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2620	2568	explorer.exe	35

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe	M9OpOHJOcY.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\6cb0b6c459d5d3	M9OpOHJOcY.exe
File created	C:\Program Files\Windows Defender\ja-JP\csrss.exe	M9OpOHJOcY.exe
File created	C:\Program Files\Windows Defender\ja-JP\886983d96e3d3e	M9OpOHJOcY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrackLauncher.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1904	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1904	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
264	schtasks.exe
1864	schtasks.exe
2240	schtasks.exe
1316	schtasks.exe
348	schtasks.exe
2380	schtasks.exe
804	schtasks.exe
716	schtasks.exe
784	schtasks.exe
1560	schtasks.exe
1684	schtasks.exe
2188	schtasks.exe
1104	schtasks.exe
556	schtasks.exe
3064	schtasks.exe
1752	schtasks.exe
2356	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	svchost.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
1788	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe
2436	M9OpOHJOcY.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2436	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1776	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2560	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2052	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1640	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1292	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2040	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2244	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2068	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1532	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2612	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1420	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2248	M9OpOHJOcY.exe
Token: SeDebugPrivilege	3064	M9OpOHJOcY.exe
Token: SeDebugPrivilege	2172	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1960	M9OpOHJOcY.exe
Token: SeDebugPrivilege	1784	M9OpOHJOcY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2784	2708	CrackLauncher.exe	30
PID 2708 wrote to memory of 2784	2708	CrackLauncher.exe	30
PID 2708 wrote to memory of 2784	2708	CrackLauncher.exe	30
PID 2708 wrote to memory of 2784	2708	CrackLauncher.exe	30
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2708 wrote to memory of 2568	2708	CrackLauncher.exe	32
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2596	2568	explorer.exe	34
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2568 wrote to memory of 2620	2568	explorer.exe	35
PID 2620 wrote to memory of 1788	2620	RegAsm.exe	37
PID 2620 wrote to memory of 1788	2620	RegAsm.exe	37
PID 2620 wrote to memory of 1788	2620	RegAsm.exe	37
PID 2620 wrote to memory of 1788	2620	RegAsm.exe	37
PID 2784 wrote to memory of 1464	2784	svchost.exe	38
PID 2784 wrote to memory of 1464	2784	svchost.exe	38
PID 2784 wrote to memory of 1464	2784	svchost.exe	38
PID 1788 wrote to memory of 1032	1788	M9OpOHJOcY.exe	58
PID 1788 wrote to memory of 1032	1788	M9OpOHJOcY.exe	58
PID 1788 wrote to memory of 1032	1788	M9OpOHJOcY.exe	58
PID 1032 wrote to memory of 3048	1032	cmd.exe	60
PID 1032 wrote to memory of 3048	1032	cmd.exe	60
PID 1032 wrote to memory of 3048	1032	cmd.exe	60
PID 1032 wrote to memory of 1784	1032	cmd.exe	61
PID 1032 wrote to memory of 1784	1032	cmd.exe	61
PID 1032 wrote to memory of 1784	1032	cmd.exe	61
PID 1032 wrote to memory of 2436	1032	cmd.exe	62
PID 1032 wrote to memory of 2436	1032	cmd.exe	62
PID 1032 wrote to memory of 2436	1032	cmd.exe	62
PID 2436 wrote to memory of 2996	2436	M9OpOHJOcY.exe	63
PID 2436 wrote to memory of 2996	2436	M9OpOHJOcY.exe	63
PID 2436 wrote to memory of 2996	2436	M9OpOHJOcY.exe	63
PID 2996 wrote to memory of 2508	2996	cmd.exe	65
PID 2996 wrote to memory of 2508	2996	cmd.exe	65
PID 2996 wrote to memory of 2508	2996	cmd.exe	65
PID 2996 wrote to memory of 1424	2996	cmd.exe	66
PID 2996 wrote to memory of 1424	2996	cmd.exe	66
PID 2996 wrote to memory of 1424	2996	cmd.exe	66
PID 2996 wrote to memory of 1776	2996	cmd.exe	67
PID 2996 wrote to memory of 1776	2996	cmd.exe	67
PID 2996 wrote to memory of 1776	2996	cmd.exe	67
PID 1776 wrote to memory of 3060	1776	M9OpOHJOcY.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1464
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Roaming\yAMgrsRV0v.exe
      "C:\Users\Admin\AppData\Roaming\yAMgrsRV0v.exe"
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
      "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4SWemvR2cI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3048
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UE63U4pwcK.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat"
        9⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        11⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat"
        13⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YkVt9kOuik.bat"
        15⤵
        
        PID:596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat"
        17⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qWxuQCq4fF.bat"
        19⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AC4J3hngkK.bat"
        21⤵
        
        PID:1012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
        23⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3NuRVv1Ng8.bat"
        25⤵
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat"
        27⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"
        29⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xj8aQTjKDO.bat"
        31⤵
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HaE3Dx3E3n.bat"
        33⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b2RsHXtgrT.bat"
        35⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8rw0eVXoN.bat"
        37⤵
        
        PID:316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe
        
        "C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "M9OpOHJOcYM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "M9OpOHJOcY" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "M9OpOHJOcYM" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3NuRVv1Ng8.bat

Filesize
221B

MD5
5f2660226b2debcb7b3cf60cb24e1f28

SHA1
fe41cc1ebb9b787a092983d3973b938b63333e02

SHA256
e04f13011e908e0fd54f33768b6dd71f6d978db20b34e355fd6282065d2e05dc

SHA512
66cec8220dd36545d17795ec7861685db03a1bbb76546bd87b77dbcf16ea23d00a5561626a2b305726d006dc059ba34d31f753e8991741e3c974896198b52949

Download Submit
C:\Users\Admin\AppData\Local\Temp\4SWemvR2cI.bat

Filesize
221B

MD5
440bfd5ca0b780366a9bc2ef5cdfd716

SHA1
0c06cacab5de3fec139f44890fbf57def551ada5

SHA256
8cfc1735f45f022273d0f063b2a38cf7a27c4996711078f31bb84c70f8fd6980

SHA512
d8b34feb98c4d48255014f5856fdb3a903f0d64ee73022c98aa69074e0fcf0054cb0f9d9b023c012a8491563680bc6f2e81ee1edf6f065cb85a77d481d959c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat

Filesize
221B

MD5
f1f10c4b1122261d38d5e66414a117c0

SHA1
28c0a1780be59547f11cd5de6d54b8f5b6743a31

SHA256
a3cd13950a498eb6380b23bdd714e250cad4fa1bcf4786dbed92dd4d06ae4f3c

SHA512
1e4acf9bf7e8149bf5bcee2299fa0cb96acfe508ef89b17812590ff0455f149ad581163a632dd3f90cb58bd4d0a6eede71312b805b2f0d8c1e03dbb88f8cca89

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

Filesize
221B

MD5
8c147ce6d1360012cf77114300c710ce

SHA1
b139ac6a3f0f2b8449f7887a10ac3037ecfabd5d

SHA256
85cc4684a6467d2309f6193f929e6a2efad01dccff6858cbcbaff4c2b19f425e

SHA512
2fb455f2086fd6a7307ba88268fb27b1a90c8233c6b755248c99973770df53f2d920a4f82f32a6e3dfb72672cae4869794c5da2fdf0c2dba484b6af769cd3e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC4J3hngkK.bat

Filesize
221B

MD5
419ec075f639317390f3ffa35e4d21b0

SHA1
8f8e9ba7e7b60b81b9eb136c162251aa55339ba2

SHA256
854a6e9bb9fca3c28f60d4fb10c85c93651d2c0dd512eb9967dd8acb544bd676

SHA512
14bad89934e9a0094e8fc04c723099c3e224febf5faaf428b1ae042069481273e6c410ba01d205a24e5a2d577056ab4a465aafa140ede8c96b6f5451d628dbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaE3Dx3E3n.bat

Filesize
221B

MD5
c8519d6c716997679d8193a593bc294c

SHA1
10f91ca97b4d279e058288df3df344ec68f9002c

SHA256
d3440a71b266f7154e3fee2abab65e535e73c39b1a4a601e409ff1ffbb93d2ea

SHA512
0e8fd17ade4bf056404cbb984ea3c80df3d9745efaeae9f9a765230572fda564750f452e780c7ff39b7fe9aedda4799bed12605f88b27a9ebe8de8eba1669125

Download Submit
C:\Users\Admin\AppData\Local\Temp\UE63U4pwcK.bat

Filesize
221B

MD5
eac3ba668ba3df3efa302e98c7409165

SHA1
87701a72ef79b6f824badf6dfe249ca4d7f93c60

SHA256
8b729777a6d3b06a5b5d2cb496ce01f6083f20ff565b704a88b6a5c120071109

SHA512
552b76f757dde4328ae9934c8f65f53ee97d0bc13b7ccccf9d76d5069e0503ef5e3b813c3fddf5012b3daf9a5dd931f70b785ad26d9e5cf3521deab3caa847e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8rw0eVXoN.bat

Filesize
221B

MD5
ddee561308d37c0d6aa703bb20ee2514

SHA1
d950cf729b9f984eda9067f72aa427248882ac87

SHA256
d03e96b171f8747ad93fb2abb9a0e070fb1c259ca5b48569c782d7c839f6b846

SHA512
26067281eb00668a9138253c85640e49f9e6e4b0a50840fc5ab892ba59dd42ee45bdd2928044dc63a8f18bef60b949cdcf480d6a7f49ddc57f6ff17c2055f350

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xj8aQTjKDO.bat

Filesize
221B

MD5
17d0675c7b52b11bd5eea4651ee47fba

SHA1
fba82ecc160e82682d68794a3dcec617b29a6317

SHA256
fcdbe3cb0d0e7148a889e7ecbd9d60f998fb6e8e1e5a8bf061c6e4e5171414f0

SHA512
bdf22f2541c2aef5a15053541b509b6e65d87e064255a468a3c84cc1dc688c294748a9908ee7a8c80bfca36c99810c8bd1eddddfaa01eb2e3075c9801b5186c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkVt9kOuik.bat

Filesize
221B

MD5
36976c3f74d1795fe75b0323e0639702

SHA1
9da2ca378817dd77baa9b07213a6a9d45ce44bc7

SHA256
231a241d6797cec86fb9cb7e191cd702c0c1b3d57958b4caafaf584bd03a7e15

SHA512
e248a3408ebdf3e5531467750e8dcea81ad353e0bbd1c017fda455c1792cd1807bcc4ead33b3587c1c37887387882af842d0d6d8b40d1bf7cc884879cf1c3ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat

Filesize
221B

MD5
76954a405a931b3884f6ad5271592c33

SHA1
54e178bafbd1beeee41af0628312cec07ec53ef5

SHA256
8154201e26674dcede793209705c627e58b3d3ea76a7e2f231aff42c6542d519

SHA512
1c1e16e1c6b274615378b235d4ccf05035e9be889bf4067d857db9468b5c151988d0d211afe17147e760c4ae28fb43da8b68e5b85074a78ebe7a708391f9f2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2RsHXtgrT.bat

Filesize
221B

MD5
06e9fc41904cf41eb861b3d3ac7f4118

SHA1
58b2592f227116b34337c417651389e7d7b00737

SHA256
1e3607ede488b1e4415845a21f83b52cd6dfe6b577bc05571ff26e1dcfbaa10f

SHA512
72feb501e1b3093b96ed7377ad4aa8db1575a5197f298f6c7be4225310da03afb6a62b5fabe9082b55b2bdd77755ebba457ef1eace9b326361b44afefa2fda8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat

Filesize
221B

MD5
cc0e8a21eac9746cbfd66f654588e4ad

SHA1
c01b47ade047d22b0bf67e13ead58fb9594afe3a

SHA256
cb655363ec34f377cd6635f270c4aba428e875f1ca7a1c3dca323869f3c8b1ca

SHA512
4d25dbce3907f34f7f6b189d8decaeb047a348b123f6651719fb984438349143c73bb9727667e77dbbdfd2743a75fbd5daf9b7ff7c292585352ca9a1106a7671

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat

Filesize
173B

MD5
7f095c64ad7e454409aa3a2e9561435b

SHA1
0674ad5ed084021d7de6810be286e18363f9ea99

SHA256
c979f076f14e77f0a146d97e42337047250b95df3c61bf7e98a68426445d425f

SHA512
90729c256d814087662eeaa8e258b42074ebba92087461af6a58d5fc86617e7a96030294bf6ff84d36625db49c09ee03ae547a2e2e368a281a4e7653fe4393c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

Filesize
221B

MD5
ed773fbe453d8b9deb687b71051087a1

SHA1
99b7a1aa88de3357c9b085134e375cc6ae33757b

SHA256
e6ff2cd6c418f92eab7cd8c60edf0a87fc6e1a8d69954e6af802b2d8d7af4831

SHA512
689ed53d62739f9137511fa32b63e1c4242166e867615a507ace82c7face76f446e07425dca0d8057acd93a9fbcd0e96e633b05f726748977abb74f3d1c2e221

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1009KB

MD5
37248e1253355bc6e356e31346f35e30

SHA1
76a4c49df25f3621ef38426d726eafd9f67be20b

SHA256
917c39f77f2a2851383d506c884cc114a992c5e15d0c2993625a4b9186e26ad4

SHA512
1e4f5eb77fed7a1a25f6684fcd42b3097e666ea942995027cf9eab3d4f176eed8c2c9f561cf6e53e8769890fcbf08e559cbe9c05d42ae8ce2dbecb8c7733fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat

Filesize
221B

MD5
44496ff1597b76545841a53a8d54bc03

SHA1
c71b9595a0c7d4dab6836c0eac56244c993a1ab6

SHA256
8c233a45ec23a768238ea0c58810f1888134bf78b838b183a967419743657f43

SHA512
a4d41bedaf730f4ba1524aeca00344563c62201fca8a9400d88f7604e1723a77ddc1d223b37e2bf98227fb26fd466ae1abad004e33eb633c8beacd1683a09b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWxuQCq4fF.bat

Filesize
221B

MD5
02bee0bf3c21d31ad918561fcf4b835d

SHA1
400d632f05b68593e1aba56f97004c3934a7a77d

SHA256
284166172cc80b05ec0f693eb8424bfd688ed3d3b8653c09b741919876350f75

SHA512
ac961453718713ef3bdbb1e8feeb9ac21c38cf194520eb979ef09c0fc2756658c44dff40839fe2ab8d1fbba309504aabe07ec90075d3843f1fdbbc1f63f465de

Download Submit
C:\Users\Admin\AppData\Roaming\yAMgrsRV0v.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
5.5MB

MD5
52aaa8c3fd6b813b713ae05ab9e4829c

SHA1
d4ac8addbe5e15e867afe58f4bbb8319395ad38e

SHA256
0c30d4cb510304d4ce140952f8ce316056cc4bc552cef78a81fd5301aecc1fd2

SHA512
c39bba95a8554f1115d0362bad33901fd87e00d5de7671cd48d7b537c97889882b9009a83948087cf8516a32588e4ef831531977740b17a2791cec927934fdd8

Download Submit
\Users\Admin\AppData\Roaming\M9OpOHJOcY.exe

Filesize
768KB

MD5
e3aae84e507657a2a81745500460f5f7

SHA1
dd53b7b8b0eab343f1ed3f0983326bc433304110

SHA256
b8f3077a6dd5d704139f7ccfe6e453adf3ebc0100c617fd2c9f3c51650a0ea25

SHA512
4bee0f7325bdb02528e78d21f65ccbdc9450316d6681022ddc6c85540a4a6b22c4cc4cfda36824a4e5c17a9b1f66845b61c82d822806dde1e006b9cee7da5d66

Download Submit
memory/1292-142-0x0000000000360000-0x0000000000426000-memory.dmp

Filesize
792KB

Download
memory/1640-131-0x00000000002A0000-0x0000000000366000-memory.dmp

Filesize
792KB

Download
memory/1784-258-0x0000000001060000-0x0000000001126000-memory.dmp

Filesize
792KB

Download
memory/1788-66-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/1788-62-0x00000000000F0000-0x00000000001B6000-memory.dmp

Filesize
792KB

Download
memory/1788-64-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/1788-68-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/1788-70-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1960-247-0x0000000000E70000-0x0000000000F36000-memory.dmp

Filesize
792KB

Download
memory/2040-153-0x0000000001190000-0x0000000001256000-memory.dmp

Filesize
792KB

Download
memory/2052-120-0x00000000012E0000-0x00000000013A6000-memory.dmp

Filesize
792KB

Download
memory/2172-236-0x0000000000290000-0x0000000000356000-memory.dmp

Filesize
792KB

Download
memory/2248-214-0x00000000001D0000-0x0000000000296000-memory.dmp

Filesize
792KB

Download
memory/2436-88-0x0000000001300000-0x00000000013C6000-memory.dmp

Filesize
792KB

Download
memory/2560-109-0x0000000000110000-0x00000000001D6000-memory.dmp

Filesize
792KB

Download
memory/2568-15-0x0000000001050000-0x0000000001152000-memory.dmp

Filesize
1.0MB

Download
memory/2620-32-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-35-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-24-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-47-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-18-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-20-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-34-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-22-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-26-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-28-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2620-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-31-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2708-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x0000000000ED0000-0x000000000155C000-memory.dmp

Filesize
6.5MB

Download
memory/2784-60-0x0000000140000000-0x00000001408C1000-memory.dmp

Filesize
8.8MB

Download
memory/2784-53-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/2784-55-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/2784-57-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/2784-51-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/2784-59-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/2784-49-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/3064-225-0x0000000000DE0000-0x0000000000EA6000-memory.dmp

Filesize
792KB

Download