dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Medal.exe.bin.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	116	schtasks.exe	82

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Medal.exe.bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 17 IoCs

pid	Process
452	sihost.exe
3992	sihost.exe
4068	sihost.exe
716	sihost.exe
4072	sihost.exe
2060	sihost.exe
372	sihost.exe
3148	sihost.exe
5000	sihost.exe
2904	sihost.exe
4064	sihost.exe
3860	sihost.exe
4720	sihost.exe
4124	sihost.exe
3728	sihost.exe
3724	sihost.exe
2380	sihost.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\upfc.exe	Medal.exe.bin.exe
File created	C:\Program Files\Windows Media Player\ea1d8f6d871115	Medal.exe.bin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	Medal.exe.bin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	Medal.exe.bin.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe	Medal.exe.bin.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\27d1bcfc3c54e0	Medal.exe.bin.exe
File created	C:\Program Files\Windows Media Player\upfc.exe	Medal.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	PING.EXE
3476	PING.EXE
4976	PING.EXE
1512	PING.EXE
4976	PING.EXE
2012	PING.EXE
4972	PING.EXE
2068	PING.EXE
4964	PING.EXE
3340	PING.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Medal.exe.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sihost.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
2068	PING.EXE
2012	PING.EXE
4972	PING.EXE
2380	PING.EXE
4976	PING.EXE
4976	PING.EXE
3340	PING.EXE
3476	PING.EXE
1512	PING.EXE
4964	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4024	schtasks.exe
3712	schtasks.exe
1376	schtasks.exe
2524	schtasks.exe
392	schtasks.exe
4416	schtasks.exe
2452	schtasks.exe
1040	schtasks.exe
4952	schtasks.exe
1484	schtasks.exe
4036	schtasks.exe
3788	schtasks.exe
4196	schtasks.exe
2112	schtasks.exe
3476	schtasks.exe
232	schtasks.exe
3564	schtasks.exe
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
764	Medal.exe.bin.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe
452	sihost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	Medal.exe.bin.exe
Token: SeDebugPrivilege	452	sihost.exe
Token: SeDebugPrivilege	3992	sihost.exe
Token: SeDebugPrivilege	4068	sihost.exe
Token: SeDebugPrivilege	716	sihost.exe
Token: SeDebugPrivilege	4072	sihost.exe
Token: SeDebugPrivilege	2060	sihost.exe
Token: SeDebugPrivilege	372	sihost.exe
Token: SeDebugPrivilege	3148	sihost.exe
Token: SeDebugPrivilege	5000	sihost.exe
Token: SeDebugPrivilege	2904	sihost.exe
Token: SeDebugPrivilege	4064	sihost.exe
Token: SeDebugPrivilege	3860	sihost.exe
Token: SeDebugPrivilege	4720	sihost.exe
Token: SeDebugPrivilege	4124	sihost.exe
Token: SeDebugPrivilege	3728	sihost.exe
Token: SeDebugPrivilege	3724	sihost.exe
Token: SeDebugPrivilege	2380	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4608	764	Medal.exe.bin.exe	101
PID 764 wrote to memory of 4608	764	Medal.exe.bin.exe	101
PID 4608 wrote to memory of 2648	4608	cmd.exe	103
PID 4608 wrote to memory of 2648	4608	cmd.exe	103
PID 4608 wrote to memory of 2520	4608	cmd.exe	104
PID 4608 wrote to memory of 2520	4608	cmd.exe	104
PID 4608 wrote to memory of 452	4608	cmd.exe	105
PID 4608 wrote to memory of 452	4608	cmd.exe	105
PID 452 wrote to memory of 2196	452	sihost.exe	106
PID 452 wrote to memory of 2196	452	sihost.exe	106
PID 2196 wrote to memory of 3440	2196	cmd.exe	108
PID 2196 wrote to memory of 3440	2196	cmd.exe	108
PID 2196 wrote to memory of 4972	2196	cmd.exe	109
PID 2196 wrote to memory of 4972	2196	cmd.exe	109
PID 2196 wrote to memory of 3992	2196	cmd.exe	114
PID 2196 wrote to memory of 3992	2196	cmd.exe	114
PID 3992 wrote to memory of 4296	3992	sihost.exe	117
PID 3992 wrote to memory of 4296	3992	sihost.exe	117
PID 4296 wrote to memory of 2696	4296	cmd.exe	119
PID 4296 wrote to memory of 2696	4296	cmd.exe	119
PID 4296 wrote to memory of 2380	4296	cmd.exe	120
PID 4296 wrote to memory of 2380	4296	cmd.exe	120
PID 4296 wrote to memory of 4068	4296	cmd.exe	121
PID 4296 wrote to memory of 4068	4296	cmd.exe	121
PID 4068 wrote to memory of 1824	4068	sihost.exe	123
PID 4068 wrote to memory of 1824	4068	sihost.exe	123
PID 1824 wrote to memory of 1376	1824	cmd.exe	125
PID 1824 wrote to memory of 1376	1824	cmd.exe	125
PID 1824 wrote to memory of 3476	1824	cmd.exe	126
PID 1824 wrote to memory of 3476	1824	cmd.exe	126
PID 1824 wrote to memory of 716	1824	cmd.exe	128
PID 1824 wrote to memory of 716	1824	cmd.exe	128
PID 716 wrote to memory of 2372	716	sihost.exe	129
PID 716 wrote to memory of 2372	716	sihost.exe	129
PID 2372 wrote to memory of 4036	2372	cmd.exe	131
PID 2372 wrote to memory of 4036	2372	cmd.exe	131
PID 2372 wrote to memory of 4976	2372	cmd.exe	132
PID 2372 wrote to memory of 4976	2372	cmd.exe	132
PID 2372 wrote to memory of 4072	2372	cmd.exe	133
PID 2372 wrote to memory of 4072	2372	cmd.exe	133
PID 4072 wrote to memory of 2756	4072	sihost.exe	134
PID 4072 wrote to memory of 2756	4072	sihost.exe	134
PID 2756 wrote to memory of 3120	2756	cmd.exe	136
PID 2756 wrote to memory of 3120	2756	cmd.exe	136
PID 2756 wrote to memory of 5008	2756	cmd.exe	137
PID 2756 wrote to memory of 5008	2756	cmd.exe	137
PID 2756 wrote to memory of 2060	2756	cmd.exe	138
PID 2756 wrote to memory of 2060	2756	cmd.exe	138
PID 2060 wrote to memory of 4124	2060	sihost.exe	139
PID 2060 wrote to memory of 4124	2060	sihost.exe	139
PID 4124 wrote to memory of 1436	4124	cmd.exe	141
PID 4124 wrote to memory of 1436	4124	cmd.exe	141
PID 4124 wrote to memory of 1872	4124	cmd.exe	142
PID 4124 wrote to memory of 1872	4124	cmd.exe	142
PID 4124 wrote to memory of 372	4124	cmd.exe	143
PID 4124 wrote to memory of 372	4124	cmd.exe	143
PID 372 wrote to memory of 1396	372	sihost.exe	144
PID 372 wrote to memory of 1396	372	sihost.exe	144
PID 1396 wrote to memory of 3108	1396	cmd.exe	146
PID 1396 wrote to memory of 3108	1396	cmd.exe	146
PID 1396 wrote to memory of 2068	1396	cmd.exe	147
PID 1396 wrote to memory of 2068	1396	cmd.exe	147
PID 1396 wrote to memory of 3148	1396	cmd.exe	148
PID 1396 wrote to memory of 3148	1396	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g4wQvCfdjJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2648
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2520
- - C:\Recovery\WindowsRE\sihost.exe
    "C:\Recovery\WindowsRE\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3440
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
    - - C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EEIicgEf1j.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AkiujJMGlN.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3476
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5008
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1872
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nNv9Oq8evb.bat"
        18⤵
        
        PID:900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"
        20⤵
        
        PID:1292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4964
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat"
        22⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2220
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat"
        24⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ahsqPXjhJl.bat"
        26⤵
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4924
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmJFabuBut.bat"
        28⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1052
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat"
        30⤵
        
        PID:452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2940
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"
        32⤵
        
        PID:3256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ockHtb7V7W.bat"
        34⤵
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:3500
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\luGtQJ8wXl.bat"
        36⤵
        
        PID:4604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal.exe.bin" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat

Filesize
160B

MD5
383fbd80e97e6ddc20340a3bbdd05d92

SHA1
5f8450858ea3577768b228d206bd2cb82eed231f

SHA256
f54e38e1c70f9e5c95971b80b0cd664bf596eea90c9ae72af29fbf40b246e052

SHA512
7944d762d0c25fa04b162c0e23955b3985c90ac8762e5dd24f1930a5a23f9c64996fbff01dda6e8c4d96a85d01483d8d7cbd4738e2ce1d9b37cc81ec379bc655

Download Submit
C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat

Filesize
160B

MD5
2f533b23bc5352586104ff8f1c5c82c1

SHA1
3d5bcddc506f85389d2a2ab2a99a765af10169e9

SHA256
f1f557f5317588f5a94eb02530ad8425c9251e697527bc884bfb9e240b71f897

SHA512
430c986851831294cff009d7ffdf872ff24987628ca5bbab1a2b39632d07b71ade1b7dbd899fc455d13370077ca607e89bb4f5e7a9e007471190e3a4f3df1711

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkiujJMGlN.bat

Filesize
160B

MD5
06ba6621c609c9afb63b9089cb013bc6

SHA1
cec51fb3bafb2d8e82129da8b09d6cbd89027d26

SHA256
a02fcc21e5a10cb25d6348010a7e31f210a7c077d6533fbda4a919ba89a72584

SHA512
136a16ea7fe9b8a2a405258f2fc8c05bcd0fd2d30e676bfad6e2b0394827e2f361596da7b8ebfd393d2005aa1cc565bf78010e3c20ebb58ef7d374d01ce74686

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEIicgEf1j.bat

Filesize
160B

MD5
9f95ff2d3c8c713c5a42632a29d97c17

SHA1
88c3be96feddc7260ef01934e997a5a2e78a7424

SHA256
1c2e15221e5d778d3b3870fa2ddc085b692ba393ce58c5338f79b7658d1aed98

SHA512
9a4257461855b10e170302f81a44abcea41db6e3f2ab308433962460d32146201f1fb57a8d36510715d1871d50ca87470c5a06a7302cd570b9fac55e3ca5aaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat

Filesize
208B

MD5
0fca92f7a29595b09221df2a9827a5ea

SHA1
862ab4a104a8f3c15df96456fe7bdb7ba3da6ba8

SHA256
d81de08534e42287f0cc43b461f76cb527622a614ed4eb7a6eb2e8447f2986c4

SHA512
65daed6eced222af0e162d427c78ecb6a4026808656327633aec4c02bbdb2c05f3178975bf2eed12bfb0c3bb8f47f0d5cd50a7443db9b3aa5c1219ee4c278a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmJFabuBut.bat

Filesize
208B

MD5
8f643ddb7bdb2f89370330dbf8b77518

SHA1
f7e90de3a026d42ca13cc239ed66c7137f4eb31e

SHA256
e0a5e1efdf1e05a387c0aee428187ebdf5642192d1d7da122403c05586e1595d

SHA512
6b2ad3900fd97d1d032f46893b578f187c408ff516672ec3a5b247f5440df8d6a7b5152cea3f31d44d16e6619894880f818473c407873066108a74429486642b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat

Filesize
160B

MD5
4772ab8ddf5eebf251f2331564573ae9

SHA1
97322808f91f768ffa991a4cde74da51c2341cf4

SHA256
52d8ae57bf1b792fd69f8fc60b34053a1ded840d7bd4b4e6ff9d5592e14ef22f

SHA512
12dc9a3ced8391671608ee646d2a669bb585181f8e93c899843ef93ca167f476fb3a8f27c7a8ee4afb3f7a03719ead66c228e63503e5491e1adc644685a34282

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat

Filesize
160B

MD5
f01f2fc207e1f5abd94e86991920a795

SHA1
b60faf0be27e9d3cde96af4a6870b0c1fb786989

SHA256
b3ba7d21ec5af922fc12da5897fd2c7dbd2caf0d749cd987b2ea67c847a87cee

SHA512
0aa8ae9687885c9767337b17e8434d55a82950002b52ddd9660e2193a7bb9c582c8d37f03b8328cd0d7e7c5bbc485e4d0c81c8c8a083c03b5e1d781e4198280e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat

Filesize
208B

MD5
4854493d588040bd7ea702ad2aeb5558

SHA1
e96ae6ed6275da5ef86f6bad54d002873e96bc55

SHA256
ae033936d5609afcefd309b8432057e72b7e50c95fc6f7e6e93936ba568f6833

SHA512
b1bca6c2c788ff50821367af928dbc6b4dee01675e053a3678c1577a9b960a550b80070861b7b42682870154d5092053f4b0177a9741bcda8ca282ec1ff85313

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahsqPXjhJl.bat

Filesize
208B

MD5
c3f6e602c883d29086af25a4c048bda1

SHA1
e27078641cd3ec48946f0311b154b915b2b65412

SHA256
e1a221672e7e71286cf6b1a13421e81d6c3e845de793c76e7fd456c7cf2275e9

SHA512
69dfdecfd650dc01376ea48605853097a1b4e53807e621dbc5b153c6b99da766b26d36eacf4609dc3dd2fd69d8617fc0c5b5a98f33857347dc0f27a4c1292f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4wQvCfdjJ.bat

Filesize
208B

MD5
637712254baa021ad6e6e498aefdd37f

SHA1
44abe79b3d4c61e70787a8eaaf29a63a6bf57646

SHA256
dde0ffdfa97cccc3dd27105bacfb905486826646482ce1fbef60585d9ddbd2c6

SHA512
6ed9e3e4e6c6c04b37ad749630c298ba3f29c880d7e9a16eb8467230756af1c615bf46d32e60761d4ebd01f5962a36feea2020b038e66d024c5cccc216642220

Download Submit
C:\Users\Admin\AppData\Local\Temp\luGtQJ8wXl.bat

Filesize
160B

MD5
ad4883e53bc1d2433c9c74b189d38303

SHA1
cd73c614bb422c24bef1d5570f688f37d896a359

SHA256
112c63f2bb175c7db9080fb38628d31f1f51486191ab0eb13a44817177c62f62

SHA512
4aa34e6cd02dc2279deae31d4c9fde7aade2ead49dffb0e11fdb4ad261456dced364734b92291725005487e91205ceaafcd10a2a6eb1f371c34eab07b9ae18e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat

Filesize
160B

MD5
e0fbea772691aaa003a4819f0d8be136

SHA1
81a3fe69b7ff9ef31430ea995723908fbd6bc143

SHA256
b202da4389eddcf9c0620ba02f1fa77f8020cb0656e7447d080252f726ba6397

SHA512
6be9a292877a1c7a59b8ed21ceb6d7bf7bdfece615bac79838b1859fffa21e0206919a6e9707f05ac37fdcf6db22a05fcfa7550dbbb6ea3db364513675d51a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nNv9Oq8evb.bat

Filesize
160B

MD5
15b990b45e3eaee2ae7893a2f82b6ca0

SHA1
858e09c6acfe6e38b99c6c31163643c2f5d09a16

SHA256
8fb56dbc52a43772c70094e14e248d9ebde185c11226d2eef2d7f82f2abefc7d

SHA512
616521f525562f8e527f068ef85794222ed1b2c8be1941fe12475ecb34098d920269efe2a8aeeabc8194fcd53aaae73745e684322e14a1dd8308debcfc71e8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ockHtb7V7W.bat

Filesize
208B

MD5
19879966c0eaccc2c669a5e65710036f

SHA1
c2526d3038192645418de87a6f46670d73ce7084

SHA256
76ae3816440efee86dce55aa0c571e4979cf0758b8fe667ce0d119cc02a9b757

SHA512
d67fa80b7fa55bdfa075cd4e6005eebc2c26abace73d8f081e313b3af41c500fd8b22afa6f3ae30fc4dc9fd457b114499bb4ae11033d6a771b54747f6e1de96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat

Filesize
208B

MD5
b3afab7e444ea565b84b84b3ada15b94

SHA1
edaccac9b1f1728d9f385f09f399e676248a8376

SHA256
21560d8318b515484c34cf94b0d39c18e3ad2291597a982603ce64deee625f0c

SHA512
f6c9c06e6ffcb073c48b2c602093911c10b56221976ed5c861e668bdbb14002df914b595710acf32ac69f7dfdd197380087efb30567296e27a110ed02a9c8375

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat

Filesize
208B

MD5
ae8667009dec7f48742db407d649b561

SHA1
2b4e71dd8524c7719f259f55a0fc854c33977eb4

SHA256
fcd03bce9da672345dbc7ddfaa2382935f4ebe81a0d6b7560d7c52899302e04e

SHA512
284859c77173191ac39d0ba0ba3cf388fb1b55fa699bc258e18a3137825d3f6d66c2e035d491c6cd474d05b78573165f5d4ef907cd44293ae27987cf7bf05a19

Download Submit
memory/372-106-0x000000001CA50000-0x000000001CBBA000-memory.dmp

Filesize
1.4MB

Download
memory/716-76-0x000000001BFE0000-0x000000001C14A000-memory.dmp

Filesize
1.4MB

Download
memory/764-35-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/764-6-0x0000000002430000-0x000000000243E000-memory.dmp

Filesize
56KB

Download
memory/764-12-0x00000000025E0000-0x00000000025F8000-memory.dmp

Filesize
96KB

Download
memory/764-23-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-32-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-10-0x000000001B290000-0x000000001B2E0000-memory.dmp

Filesize
320KB

Download
memory/764-3-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-7-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-4-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-1-0x0000000000090000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/764-28-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-16-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-27-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-26-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/764-9-0x00000000025C0000-0x00000000025DC000-memory.dmp

Filesize
112KB

Download
memory/2060-96-0x000000001C540000-0x000000001C6AA000-memory.dmp

Filesize
1.4MB

Download
memory/3148-116-0x000000001C5E0000-0x000000001C74A000-memory.dmp

Filesize
1.4MB

Download
memory/4072-86-0x000000001C620000-0x000000001C78A000-memory.dmp

Filesize
1.4MB

Download