dcrat | b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

6.5MB
MD5

dd045e7803ef620069b0e90d9128375f
SHA1

983de7fc238cac0de7b2d74b86617501dbbfc9c6
SHA256

b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4
SHA512

3ef80acad4b09dbb84835520f249c3970f0574156e77155f496dddb46927d407773315f34c4c38277e34825ac6401159b5df06776140b20fb9f820f0a4859886
SSDEEP

196608:nuaAxSTZLvD6/x1R92cJUMo7xS6eUEMW42:nRAh5n9/GMolS6eyWZ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3296	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3296	schtasks.exe	92

DCRat payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023c6a-57.dat	family_dcrat_v2
behavioral2/memory/2644-59-0x00000000008C0000-0x0000000000986000-memory.dmp	family_dcrat_v2
behavioral2/memory/4336-58-0x0000000000400000-0x00000000004FD000-memory.dmp	family_dcrat_v2
behavioral2/memory/4336-55-0x0000000000400000-0x00000000004FD000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	plXlRxnJVt.exe

Executes dropped EXE 21 IoCs

pid	Process
1716	svchost.exe
212	explorer.exe
1284	6a1wmVJkpF.exe
2644	plXlRxnJVt.exe
1880	plXlRxnJVt.exe
1364	plXlRxnJVt.exe
3232	plXlRxnJVt.exe
4356	plXlRxnJVt.exe
4772	plXlRxnJVt.exe
4856	plXlRxnJVt.exe
2376	plXlRxnJVt.exe
3760	plXlRxnJVt.exe
4092	plXlRxnJVt.exe
2288	plXlRxnJVt.exe
3520	plXlRxnJVt.exe
1660	plXlRxnJVt.exe
4444	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
1532	plXlRxnJVt.exe
4776	plXlRxnJVt.exe
2088	plXlRxnJVt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1716	svchost.exe
1716	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 4336	212	explorer.exe	87

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\wininit.exe	plXlRxnJVt.exe
File created	C:\Program Files\Windows Mail\56085415360792	plXlRxnJVt.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe	plXlRxnJVt.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\ea9f0e6c9e2dcd	plXlRxnJVt.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe	plXlRxnJVt.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\69ddcba757bf72	plXlRxnJVt.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\upfc.exe	plXlRxnJVt.exe
File opened for modification	C:\Windows\addins\upfc.exe	plXlRxnJVt.exe
File created	C:\Windows\addins\ea1d8f6d871115	plXlRxnJVt.exe
File created	C:\Windows\Media\Landscape\upfc.exe	plXlRxnJVt.exe
File created	C:\Windows\Media\Landscape\ea1d8f6d871115	plXlRxnJVt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrackLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1304	PING.EXE
668	PING.EXE
3936	PING.EXE
3980	PING.EXE
2188	PING.EXE
4684	PING.EXE
3180	PING.EXE
4876	PING.EXE
3104	PING.EXE
1000	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	plXlRxnJVt.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
3936	PING.EXE
3980	PING.EXE
2188	PING.EXE
1304	PING.EXE
3104	PING.EXE
668	PING.EXE
1000	PING.EXE
4684	PING.EXE
3180	PING.EXE
4876	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
1028	schtasks.exe
2388	schtasks.exe
2468	schtasks.exe
5068	schtasks.exe
3736	schtasks.exe
3588	schtasks.exe
1088	schtasks.exe
3232	schtasks.exe
2188	schtasks.exe
4424	schtasks.exe
2404	schtasks.exe
3620	schtasks.exe
1108	schtasks.exe
2952	schtasks.exe
4684	schtasks.exe
3760	schtasks.exe
2336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	svchost.exe
1716	svchost.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe
2644	plXlRxnJVt.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	plXlRxnJVt.exe
Token: SeDebugPrivilege	1880	plXlRxnJVt.exe
Token: SeDebugPrivilege	1364	plXlRxnJVt.exe
Token: SeDebugPrivilege	3232	plXlRxnJVt.exe
Token: SeDebugPrivilege	4356	plXlRxnJVt.exe
Token: SeDebugPrivilege	4772	plXlRxnJVt.exe
Token: SeDebugPrivilege	4856	plXlRxnJVt.exe
Token: SeDebugPrivilege	2376	plXlRxnJVt.exe
Token: SeDebugPrivilege	3760	plXlRxnJVt.exe
Token: SeDebugPrivilege	4092	plXlRxnJVt.exe
Token: SeDebugPrivilege	2288	plXlRxnJVt.exe
Token: SeDebugPrivilege	3520	plXlRxnJVt.exe
Token: SeDebugPrivilege	1660	plXlRxnJVt.exe
Token: SeDebugPrivilege	4444	plXlRxnJVt.exe
Token: SeDebugPrivilege	2644	plXlRxnJVt.exe
Token: SeDebugPrivilege	1532	plXlRxnJVt.exe
Token: SeDebugPrivilege	4776	plXlRxnJVt.exe
Token: SeDebugPrivilege	2088	plXlRxnJVt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1716	1876	CrackLauncher.exe	83
PID 1876 wrote to memory of 1716	1876	CrackLauncher.exe	83
PID 1876 wrote to memory of 212	1876	CrackLauncher.exe	85
PID 1876 wrote to memory of 212	1876	CrackLauncher.exe	85
PID 1876 wrote to memory of 212	1876	CrackLauncher.exe	85
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 212 wrote to memory of 4336	212	explorer.exe	87
PID 4336 wrote to memory of 1284	4336	RegAsm.exe	88
PID 4336 wrote to memory of 1284	4336	RegAsm.exe	88
PID 4336 wrote to memory of 2644	4336	RegAsm.exe	90
PID 4336 wrote to memory of 2644	4336	RegAsm.exe	90
PID 1716 wrote to memory of 2920	1716	svchost.exe	91
PID 1716 wrote to memory of 2920	1716	svchost.exe	91
PID 2644 wrote to memory of 3076	2644	plXlRxnJVt.exe	111
PID 2644 wrote to memory of 3076	2644	plXlRxnJVt.exe	111
PID 3076 wrote to memory of 900	3076	cmd.exe	113
PID 3076 wrote to memory of 900	3076	cmd.exe	113
PID 3076 wrote to memory of 668	3076	cmd.exe	114
PID 3076 wrote to memory of 668	3076	cmd.exe	114
PID 3076 wrote to memory of 1880	3076	cmd.exe	117
PID 3076 wrote to memory of 1880	3076	cmd.exe	117
PID 1880 wrote to memory of 3220	1880	plXlRxnJVt.exe	121
PID 1880 wrote to memory of 3220	1880	plXlRxnJVt.exe	121
PID 3220 wrote to memory of 4360	3220	cmd.exe	123
PID 3220 wrote to memory of 4360	3220	cmd.exe	123
PID 3220 wrote to memory of 4200	3220	cmd.exe	124
PID 3220 wrote to memory of 4200	3220	cmd.exe	124
PID 3220 wrote to memory of 1364	3220	cmd.exe	132
PID 3220 wrote to memory of 1364	3220	cmd.exe	132
PID 1364 wrote to memory of 2708	1364	plXlRxnJVt.exe	134
PID 1364 wrote to memory of 2708	1364	plXlRxnJVt.exe	134
PID 2708 wrote to memory of 2736	2708	cmd.exe	136
PID 2708 wrote to memory of 2736	2708	cmd.exe	136
PID 2708 wrote to memory of 1000	2708	cmd.exe	137
PID 2708 wrote to memory of 1000	2708	cmd.exe	137
PID 2708 wrote to memory of 3232	2708	cmd.exe	139
PID 2708 wrote to memory of 3232	2708	cmd.exe	139
PID 3232 wrote to memory of 2340	3232	plXlRxnJVt.exe	143
PID 3232 wrote to memory of 2340	3232	plXlRxnJVt.exe	143
PID 2340 wrote to memory of 4624	2340	cmd.exe	145
PID 2340 wrote to memory of 4624	2340	cmd.exe	145
PID 2340 wrote to memory of 3936	2340	cmd.exe	146
PID 2340 wrote to memory of 3936	2340	cmd.exe	146
PID 2340 wrote to memory of 4356	2340	cmd.exe	149
PID 2340 wrote to memory of 4356	2340	cmd.exe	149
PID 4356 wrote to memory of 180	4356	plXlRxnJVt.exe	151
PID 4356 wrote to memory of 180	4356	plXlRxnJVt.exe	151
PID 180 wrote to memory of 528	180	cmd.exe	153
PID 180 wrote to memory of 528	180	cmd.exe	153
PID 180 wrote to memory of 2288	180	cmd.exe	154
PID 180 wrote to memory of 2288	180	cmd.exe	154
PID 180 wrote to memory of 4772	180	cmd.exe	156
PID 180 wrote to memory of 4772	180	cmd.exe	156
PID 4772 wrote to memory of 4360	4772	plXlRxnJVt.exe	158
PID 4772 wrote to memory of 4360	4772	plXlRxnJVt.exe	158
PID 4360 wrote to memory of 3916	4360	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Roaming\6a1wmVJkpF.exe
      "C:\Users\Admin\AppData\Roaming\6a1wmVJkpF.exe"
      4⤵
      Executes dropped EXE
      PID:1284
  - - C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
      "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fIp9QaXrlr.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:900
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:668
      - C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iN31mkcLsQ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AOAfIZos6.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UKSgvR4Pjt.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DoC45cXmCX.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cWXsH5vMZ0.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat"
        17⤵
        
        PID:4256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat"
        19⤵
        
        PID:3976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AOAfIZos6.bat"
        21⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat"
        23⤵
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat"
        25⤵
        
        PID:396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gtOlnDcdUa.bat"
        27⤵
        
        PID:720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaDMK3wxoK.bat"
        29⤵
        
        PID:4560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat"
        31⤵
        
        PID:3736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat"
        33⤵
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4876
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HImszzPBTt.bat"
        35⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLOEqHw6cP.bat"
        37⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3104
        
        C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe
        
        "C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Landscape\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\addins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "plXlRxnJVtp" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "plXlRxnJVt" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "plXlRxnJVtp" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\plXlRxnJVt.exe.log

Filesize
1KB

MD5
23e95ec462ffa2c6ca8cab1cb8724ab1

SHA1
ee3f5e815831cf925c4f00195cc8f336b6112862

SHA256
c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c

SHA512
b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AOAfIZos6.bat

Filesize
173B

MD5
b20d5d147640cddd4fc3cbf86166fc3b

SHA1
017869d5009b2d14721408e4d1b0f60e3b9f1c02

SHA256
9f7475a2b0592d6c03a59e7f2048eddff82647d3c4ebe314859c157f1fa90979

SHA512
bf17e62ec70a304cfcfff7c985cd27863548a231b4fafa5d85ede5323b81a174ee7d7faebff22c4b59c92a0db97db808e3fc203995ce38d835a351ecfc4f7388

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat

Filesize
173B

MD5
f3f04fddf4d64f0985ded72ee0ba0158

SHA1
eac195be7e787ef52252e855d4eef2acec673ec8

SHA256
422f9c7cbb9656ae5b408d672c91c9f6389840e4981f3535806e2f6f22aa43c4

SHA512
4245e6387041218c890f29e04ae5e8d05a21dd67d495759acdf41a3e088bc9467a23e1b96de5a285a862cb61432427366f1db241cf98d59af3c1e657dec7bd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoC45cXmCX.bat

Filesize
221B

MD5
2daa191013a2486e388b026de9345ea0

SHA1
9608b2a7913c65fa3d8afc1c2d7dace244c117cc

SHA256
3229641eed2c352c047e1cc316b6d8e96101fb1f0c54b956de85730694a94399

SHA512
bfa1d1811217d1584a13f370146a3a40dc5d6aef42bdef31b6d502ffa5bf5ff9af5eae4d0dff42085497b8c36800b638e413cb00ed1baa2ac07c9631c3949856

Download Submit
C:\Users\Admin\AppData\Local\Temp\HImszzPBTt.bat

Filesize
221B

MD5
8451509af79559a5b9b1a375396cdd0b

SHA1
4c17b039fd6a8a567ecc576f172a1087b3af47a6

SHA256
031fbda517793b5de8ce182b75f4cc9578c9e1a2f5fa6b982dcf490d86fe4286

SHA512
fe1126e378b3cc1fc6fd98acf875f17354c05423ee4eedc315613205036f092512501df433e22c45b7742fb922b9e87843d601fae2d49d37f8934ed3b494afc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MF6Ow2NaEZ.bat

Filesize
173B

MD5
658c7f3705847f6f481bc60b43943322

SHA1
6b43046c45b91554c18db958ee5d0c583fd16b07

SHA256
646c2916fd828155f7ac39939409ef849b54919b05437341f3c93ded56afd008

SHA512
8547abf11fb10eed167843dc3a9cd922ed3bcd91c296d62aad280db3af6076e69fd85e1f6eae2439381d06052d940ad4e99e68c02fa545b8836d8cfa4621cf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKSgvR4Pjt.bat

Filesize
173B

MD5
375e8609aded52cc87e0da7fe9f450b3

SHA1
724a878ff9a020b7788157d02db20407fa640c54

SHA256
c3a5c8d5634335d784ee1bce472176e81e16052be5d8e1a6419a92a19deb5d56

SHA512
5d709f7da877eca87666201d897cc55d51fbb170597729f9971eb52e1effee2be1bb60cd6eb6e8a53e0ab1adecb17dac54e68a3a4487af8e2875f4f67b4d591b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WLOEqHw6cP.bat

Filesize
173B

MD5
a9b0c49176c9cf29cc499f5a71c618cc

SHA1
1a6629ef874907c59c8e4c812ad7f0cb710b31b7

SHA256
d9df64e47989e49520ac56b97adeba35c080d5c130d0b084897337799efa5c1c

SHA512
88baadf3cb00ac5dd6c71050d3fd55eac55e1cf83819bf38e9252be5597268f7c06a93532d310c9dd24e0f8e72d0b05357c11305967632ebe486df8bf61abefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaDMK3wxoK.bat

Filesize
173B

MD5
e2c82270209704f6ce14efb27c19e58f

SHA1
215640381c0f353be6d195094f055f33fdbb3f85

SHA256
e9357c0cc0108f45b04df2c8cf02e33c7fb505a3cd137be4fe358dc1fddd78d0

SHA512
1af49020070daa5ea585098ac47a8bd0c84407153835900f18b32c2b7d18763c3bff6555a10c7e09e2514dca562ad6544e75c81d98bb4c16d4fdad43e641d0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat

Filesize
221B

MD5
761f4df87b59deaf540511d3d9f29cc5

SHA1
3ad1f22b10cffdd70781294a2364e3fe04f018d0

SHA256
437532777e99fcc50fd2a91fdddcb9e21a1d15aa4278a0c6f06b6969f97f1709

SHA512
99eb7095de50cae7623af66b8cb09352a5091ca1a8d96e3595c72531907cf4d6ff92f5e6c5ad88f1059de76e90a7ce00f8d3c4bf29965d1f1ed620d42317ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWXsH5vMZ0.bat

Filesize
173B

MD5
3721755ddc040d406d604ba479f72f16

SHA1
e1f2ceaf14b2f9fc01f8292c43028f2e6e5773ac

SHA256
58b78a165acd0b668524310f09948a398a07d4895affd698848c5efbbca569fe

SHA512
7bc9f72abf02a1b02af0c9e25fb46c1e2dfc2dd158cecfb70569990a5da9d77e5082fcc843a39f31031c4a99cd5fd959a3cd814fc7a3d21cb04f9838e0468085

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1009KB

MD5
37248e1253355bc6e356e31346f35e30

SHA1
76a4c49df25f3621ef38426d726eafd9f67be20b

SHA256
917c39f77f2a2851383d506c884cc114a992c5e15d0c2993625a4b9186e26ad4

SHA512
1e4f5eb77fed7a1a25f6684fcd42b3097e666ea942995027cf9eab3d4f176eed8c2c9f561cf6e53e8769890fcbf08e559cbe9c05d42ae8ce2dbecb8c7733fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIp9QaXrlr.bat

Filesize
173B

MD5
515c0bd42f0c479de55467732f2b1283

SHA1
90c38d4b552e3288522cbe631b6b3efe47b550b6

SHA256
cb88d2b1a6d0413342e0feb9a8a68a13d096df23bfaa02263275a30b717c4c6a

SHA512
3c32c8ef06cb64c592ee69fbdfa9126389c6b4a8ac2eef8a2a83ed7752ac98280d7d089cf8d32a4b154403521641cbcd832d167511b03ab60ec9125c20f7ca2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtOlnDcdUa.bat

Filesize
221B

MD5
951cd56d0d121f1fa798069a1eb6bfe0

SHA1
69d7d6a9601baaa1a25af0790def4eed8d44630f

SHA256
55f6df47eebcbab23d2d100057962d9c258d1309fefb6cb19bad0213b843423f

SHA512
5cfe3d0c420467aad850411d878e22861d79065fb1c4a09a42b0b2ebd86cbdffdbf52224673b37189fc5ce1dc14d5198db00ccc07b8defc1ad5118d73416a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iN31mkcLsQ.bat

Filesize
221B

MD5
4ed268f6a53b88fbfd37b6379b8dda8b

SHA1
303d34dc90f0a778e06a1bb33c73b6c35317cdeb

SHA256
d60e5cc875ededa054b5d17d47f11b8e7683c8684a9dd62b247603b2bea80648

SHA512
4bd042000b6db41e94a85219497a2e5ae72109718803669e12e8db24154dbd64f33259936354bc1ba29fdd4703c04c46f7a26b1d27db59d89d6d9ab034d0e011

Download Submit
C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat

Filesize
173B

MD5
ad6d796df038b507369ac821c9398df3

SHA1
94f631de923a6a0a37fa823492e4316c01f81969

SHA256
534aaad610df22098105343b1056b5eed0a7ded6c293e3e9eb8280ac6a88df96

SHA512
b248e43073a87eb6e4a8178f5595e50baea64cfe95433925aaa8d91f91f08d364260753ebb915f0dcfe38123ccd657cdca1f03bf7309ecca757ee09bf0f67d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat

Filesize
221B

MD5
f71ea466411011964e1bb285fbf61e33

SHA1
c104e2e67daad6660963737f892a1a8965c4da67

SHA256
2f7b1114c75b96a1f3c6a9eddc0133fdacb45b1ecafcff19b7294fd0cd0019c4

SHA512
3e517d93b55b818c3d4f9a8eb2d312e0158091220e39dbc9a44659b0090d73a6383b80a0d89c19c2d52676d02c9df4bde3e7edb21632735017d16ee521fcb489

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
5.5MB

MD5
52aaa8c3fd6b813b713ae05ab9e4829c

SHA1
d4ac8addbe5e15e867afe58f4bbb8319395ad38e

SHA256
0c30d4cb510304d4ce140952f8ce316056cc4bc552cef78a81fd5301aecc1fd2

SHA512
c39bba95a8554f1115d0362bad33901fd87e00d5de7671cd48d7b537c97889882b9009a83948087cf8516a32588e4ef831531977740b17a2791cec927934fdd8

Download Submit
C:\Users\Admin\AppData\Roaming\6a1wmVJkpF.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\plXlRxnJVt.exe

Filesize
768KB

MD5
e3aae84e507657a2a81745500460f5f7

SHA1
dd53b7b8b0eab343f1ed3f0983326bc433304110

SHA256
b8f3077a6dd5d704139f7ccfe6e453adf3ebc0100c617fd2c9f3c51650a0ea25

SHA512
4bee0f7325bdb02528e78d21f65ccbdc9450316d6681022ddc6c85540a4a6b22c4cc4cfda36824a4e5c17a9b1f66845b61c82d822806dde1e006b9cee7da5d66

Download Submit
memory/212-33-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/212-25-0x0000000000140000-0x0000000000242000-memory.dmp

Filesize
1.0MB

Download
memory/212-90-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/1716-37-0x000000014000E000-0x0000000140347000-memory.dmp

Filesize
3.2MB

Download
memory/1716-60-0x00007FFAE0E90000-0x00007FFAE0E92000-memory.dmp

Filesize
8KB

Download
memory/1716-91-0x000000014000E000-0x0000000140347000-memory.dmp

Filesize
3.2MB

Download
memory/1716-62-0x0000000140000000-0x00000001408C1000-memory.dmp

Filesize
8.8MB

Download
memory/1716-61-0x00007FFAE0EA0000-0x00007FFAE0EA2000-memory.dmp

Filesize
8KB

Download
memory/1876-1-0x0000000000090000-0x000000000071C000-memory.dmp

Filesize
6.5MB

Download
memory/1876-2-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/1876-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Filesize
4KB

Download
memory/2644-67-0x000000001B420000-0x000000001B43C000-memory.dmp

Filesize
112KB

Download
memory/2644-65-0x00000000029F0000-0x00000000029FE000-memory.dmp

Filesize
56KB

Download
memory/2644-59-0x00000000008C0000-0x0000000000986000-memory.dmp

Filesize
792KB

Download
memory/2644-70-0x000000001B440000-0x000000001B458000-memory.dmp

Filesize
96KB

Download
memory/2644-68-0x000000001B5C0000-0x000000001B610000-memory.dmp

Filesize
320KB

Download
memory/2644-72-0x0000000002A10000-0x0000000002A1C000-memory.dmp

Filesize
48KB

Download
memory/4336-55-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4336-58-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4336-29-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4336-27-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4336-30-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4336-34-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download