dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/01/2025, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2448	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2448	schtasks.exe	29

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\wininit.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files\Common Files\Services\56085415360792	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files\Windows Journal\WmiPrvSE.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files\Windows Journal\24dbde2999530e	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\42af1c969fbb7b	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Idle.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Idle.exe	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\6ccacd8608530f	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1004	PING.EXE
2844	PING.EXE
1572	PING.EXE
2800	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2800	PING.EXE
1004	PING.EXE
2844	PING.EXE
1572	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe
1012	schtasks.exe
672	schtasks.exe
1312	schtasks.exe
324	schtasks.exe
2468	schtasks.exe
1964	schtasks.exe
1796	schtasks.exe
588	schtasks.exe
2464	schtasks.exe
1952	schtasks.exe
1436	schtasks.exe
2192	schtasks.exe
2324	schtasks.exe
2784	schtasks.exe
2424	schtasks.exe
2532	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	916	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	1716	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	2948	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	2548	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	2164	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	480	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	268	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	2472	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	688	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	2112	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
Token: SeDebugPrivilege	1504	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 768	2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	48
PID 2908 wrote to memory of 768	2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	48
PID 2908 wrote to memory of 768	2908	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	48
PID 768 wrote to memory of 2880	768	cmd.exe	50
PID 768 wrote to memory of 2880	768	cmd.exe	50
PID 768 wrote to memory of 2880	768	cmd.exe	50
PID 768 wrote to memory of 2800	768	cmd.exe	51
PID 768 wrote to memory of 2800	768	cmd.exe	51
PID 768 wrote to memory of 2800	768	cmd.exe	51
PID 768 wrote to memory of 3000	768	cmd.exe	52
PID 768 wrote to memory of 3000	768	cmd.exe	52
PID 768 wrote to memory of 3000	768	cmd.exe	52
PID 3000 wrote to memory of 2400	3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	53
PID 3000 wrote to memory of 2400	3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	53
PID 3000 wrote to memory of 2400	3000	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	53
PID 2400 wrote to memory of 1396	2400	cmd.exe	55
PID 2400 wrote to memory of 1396	2400	cmd.exe	55
PID 2400 wrote to memory of 1396	2400	cmd.exe	55
PID 2400 wrote to memory of 2388	2400	cmd.exe	56
PID 2400 wrote to memory of 2388	2400	cmd.exe	56
PID 2400 wrote to memory of 2388	2400	cmd.exe	56
PID 2400 wrote to memory of 916	2400	cmd.exe	57
PID 2400 wrote to memory of 916	2400	cmd.exe	57
PID 2400 wrote to memory of 916	2400	cmd.exe	57
PID 916 wrote to memory of 532	916	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	58
PID 916 wrote to memory of 532	916	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	58
PID 916 wrote to memory of 532	916	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	58
PID 532 wrote to memory of 616	532	cmd.exe	60
PID 532 wrote to memory of 616	532	cmd.exe	60
PID 532 wrote to memory of 616	532	cmd.exe	60
PID 532 wrote to memory of 2140	532	cmd.exe	61
PID 532 wrote to memory of 2140	532	cmd.exe	61
PID 532 wrote to memory of 2140	532	cmd.exe	61
PID 532 wrote to memory of 1716	532	cmd.exe	62
PID 532 wrote to memory of 1716	532	cmd.exe	62
PID 532 wrote to memory of 1716	532	cmd.exe	62
PID 1716 wrote to memory of 692	1716	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	63
PID 1716 wrote to memory of 692	1716	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	63
PID 1716 wrote to memory of 692	1716	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	63
PID 692 wrote to memory of 1456	692	cmd.exe	65
PID 692 wrote to memory of 1456	692	cmd.exe	65
PID 692 wrote to memory of 1456	692	cmd.exe	65
PID 692 wrote to memory of 1004	692	cmd.exe	66
PID 692 wrote to memory of 1004	692	cmd.exe	66
PID 692 wrote to memory of 1004	692	cmd.exe	66
PID 692 wrote to memory of 2948	692	cmd.exe	67
PID 692 wrote to memory of 2948	692	cmd.exe	67
PID 692 wrote to memory of 2948	692	cmd.exe	67
PID 2948 wrote to memory of 2656	2948	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	68
PID 2948 wrote to memory of 2656	2948	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	68
PID 2948 wrote to memory of 2656	2948	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	68
PID 2656 wrote to memory of 2564	2656	cmd.exe	70
PID 2656 wrote to memory of 2564	2656	cmd.exe	70
PID 2656 wrote to memory of 2564	2656	cmd.exe	70
PID 2656 wrote to memory of 2824	2656	cmd.exe	71
PID 2656 wrote to memory of 2824	2656	cmd.exe	71
PID 2656 wrote to memory of 2824	2656	cmd.exe	71
PID 2656 wrote to memory of 2548	2656	cmd.exe	72
PID 2656 wrote to memory of 2548	2656	cmd.exe	72
PID 2656 wrote to memory of 2548	2656	cmd.exe	72
PID 2548 wrote to memory of 1632	2548	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	73
PID 2548 wrote to memory of 1632	2548	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	73
PID 2548 wrote to memory of 1632	2548	619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe	73
PID 1632 wrote to memory of 2332	1632	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
"C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4tXiDq0XrF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2880
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
    "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L70BpVXrOQ.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1396
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\52fFI3PgWJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9JnEQwxo67.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NqvJKoZOIs.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat"
        14⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7d3QeoYVFw.bat"
        16⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LDMoGsnKVz.bat"
        18⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3LXAY36iRv.bat"
        20⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat"
        22⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UVjCyjlRMB.bat"
        24⤵
        
        PID:692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat"
        26⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a6" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a6" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
278B

MD5
49aa27fa7518e4c10b8bc3f295e36aa8

SHA1
919a709b0859cc29715b7733150edd2577a14d20

SHA256
ba612e0580c7947f51307ab0f3425b809793d1a34a6273ee51d58f9c0179f486

SHA512
e2a0a17cc25d3eb47e76ae326a40a0f3b964d021e5b28bd8614cbf5c2dfe7a48804db75abdc6503e848b370ca187fbfb5fc621e318697daa7c83f9bb21e7c746

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LXAY36iRv.bat

Filesize
230B

MD5
296be6bbf0e534b2813b5caf1fac84c5

SHA1
fe8b21d6da0cb0856a52eef2ec9037063e401b60

SHA256
768423ba4c6ce567cba3cbbdf9d5922d38514acfd54e3d88615bdf46ad8c8f8e

SHA512
f18e44b8ad5bb1982067c1500ae7108e0095aecb009887722352501cefa852afb58d4b675dc1e6bcb63ce076b1a863426f152bba25d1ddada25a6f5e4e748dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tXiDq0XrF.bat

Filesize
230B

MD5
ad5980bffacac55b8adf1d7c67878e73

SHA1
7211fa4b94d56e2a8a9b0b65128c97b6ffb7f2c3

SHA256
7255b042bc4f20294f732b317517a0786cbce5cb18f0fb3b64ffb56da07d391e

SHA512
24145ebaa10b8baa36e6811388c71ff9865ba336d30b0a2f16168995859f02dbf466e22521addf8f9d0b8169560e431577ebed7e8b831211b830ed7b58a1760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\52fFI3PgWJ.bat

Filesize
278B

MD5
fd5bfc32a9fb778c75cec697884b2ecf

SHA1
f1c2d814570233c6d757722622685bfdae90234b

SHA256
4cfeb1cc85168dac1438335e2a0fa9efaae0e0e9c5856beef078baf9c0a00b3a

SHA512
ac1ac1192734e49786dcf55f28729e9a359ad4f663179968b7a9a0a6d7048dd5e4f023d45a650920d2ab5be3bbe00c936fd15bf82f62bfa2ae5ab28c4ea6f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d3QeoYVFw.bat

Filesize
278B

MD5
58fcb2bded8a0cdd5e793eac1f3130a7

SHA1
d2b314f53b6375aedab19972ecd48eb38f0c87ad

SHA256
26f82973b61012d86cc07baedfb26c3b5793943f49f6820e232ba0bdc1bfd044

SHA512
56c7c967dab4f3f9ff8ef30c5f21e9f5041000fa4120a1c42730cae67685eac8cb8ba1df599f423e9d1e363b01dc4ed6914d6ad76dc0ea7c627db9d8ebf2b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\9JnEQwxo67.bat

Filesize
230B

MD5
65127a44c4da487d8848fac1181b6d8c

SHA1
869c916d69313c15a424a7ac8ccbc2052352ec50

SHA256
d2c80a6472e51bfbc7d9f26bbeb212a92b7ff5a57574fab7f30ccadb7cc81384

SHA512
d13ab663a0a10879bd8a9701370096808e16a2898b56264542d436d1476ef16464cc30691ce9612146b0540ed07dd9ebaefba7c8b6928e7680d5fc970f3d8db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat

Filesize
278B

MD5
0359a6240b8712ccaf81b0b759fd4349

SHA1
7daa60e79e6e27e655a2a3edfdc02e4ad78d3aa3

SHA256
46ef9e94b60691a7343f6b5a7690568f4a332f5521383812aeb097b0587a9e0c

SHA512
7bdb2d377036a0643bec26a72afdf04c96d4e5f6d237acf1f39012bdb2c1daca7fab4fb1c8f45f7176f87d6aba0188ec1041d1b4dc1384c03096a752ff6adf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\L70BpVXrOQ.bat

Filesize
278B

MD5
31773da79977f09a5108a465525c6d7d

SHA1
649eee76ba2e89399d54c4bd76bb35235c497d85

SHA256
ba59337ba4dfd236660f191be18a355a6e29128b6fa98b6481913e5c8eb6f5fe

SHA512
128bdd9bebde4153c65640c839a3fa207a9d10be1f0b6203c68a97cb50df17751527f7ce649b03e739a096add122a2ef7e542e79d2a19b58e5295d67fd7a10a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDMoGsnKVz.bat

Filesize
278B

MD5
52fd21ac741fc65e571aac274bdbe185

SHA1
b46180f4ae2a279143616a4fff13662fec31a5ee

SHA256
48385be376309bf23c91dfb24499bbdc08328961208a7a1f4a06bc897529a8fa

SHA512
88d114e1c6a61b273913a6da45a24af35ba695ef2f2f557f834ab30cbc0d0fb8f211b307fa58d07952da3ab0ae41016f33ba14995427a2c86bd775e70609a58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqvJKoZOIs.bat

Filesize
278B

MD5
576fe337675d0253acb0855ca6c25286

SHA1
8090d19c6b2472c886eec10a5d482395ee81c1c7

SHA256
4e618388478c0ad60642ca622b3b9459b8895d83f906165ac180915a11238ff5

SHA512
12e4747ff6e17daff65a1cb79ac0c165a006e02ac1119f4295899a055397211f36df1b4e35082a5ea25e68110da7f704b8cd7f0644e765b54aa41f391aca7cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UVjCyjlRMB.bat

Filesize
278B

MD5
ca1c0a5e3383534510425f07156d73b9

SHA1
ca394db80ebb6f2c2f5892f1b6ac783b9cbc9a24

SHA256
5426959969ab8ae47035c14ac796b7956a96881fcceabbc8bb0c0169308a89f0

SHA512
5e73307894505e08dcc6c8e80440d99b06e34f1d549ee9710620bdeb61bbe00dd32f9f60e709178b9e4628cd642a4e096a78b582c5c6602acc1d0f337019444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat

Filesize
278B

MD5
28f13f812fd807fde20bd6d502997e4e

SHA1
f25ab9f14c97eda42212b357ab6cd80f365d913b

SHA256
bdee33a99e9cbef919da538f9d39b46537a6b82cc4d0a45cbfb3dbf2ae3ddaeb

SHA512
ed5336a516c9df0966b91306841e06edf87c60c551da72d7c88ce20f75a4075d268610641ade534f0c475ff4da07461c0ed3110d2d338e8e563d3357f4c91e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat

Filesize
230B

MD5
d624250a91308b6b605f816db0adb069

SHA1
280139da1e7ad56130b856383db9dfd80300481a

SHA256
3cfe56c237d04e20722782f189e7dbfe98730a0c1cb190fff6c73a61b7fa8d58

SHA512
0f13edee23e110b45f920ef5db85fe2e05475d869701feb85fdbf803e8db2a33ca0de8ea4a482141c9f0d689be29a4b8f7fa9287f03f0d6cf4762fc3a6fe451c

Download Submit
memory/480-87-0x00000000011F0000-0x00000000013C2000-memory.dmp

Filesize
1.8MB

Download
memory/688-114-0x0000000000860000-0x0000000000A32000-memory.dmp

Filesize
1.8MB

Download
memory/916-41-0x0000000000190000-0x0000000000362000-memory.dmp

Filesize
1.8MB

Download
memory/1716-50-0x0000000000100000-0x00000000002D2000-memory.dmp

Filesize
1.8MB

Download
memory/2112-123-0x0000000000ED0000-0x00000000010A2000-memory.dmp

Filesize
1.8MB

Download
memory/2164-78-0x0000000000E70000-0x0000000001042000-memory.dmp

Filesize
1.8MB

Download
memory/2472-105-0x0000000000030000-0x0000000000202000-memory.dmp

Filesize
1.8MB

Download
memory/2548-69-0x0000000000DC0000-0x0000000000F92000-memory.dmp

Filesize
1.8MB

Download
memory/2908-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2908-4-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-3-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-11-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-6-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2908-30-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-25-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-8-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2908-1-0x0000000000EE0000-0x00000000010B2000-memory.dmp

Filesize
1.8MB

Download
memory/2908-10-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2908-20-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-19-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-60-0x00000000001C0000-0x0000000000392000-memory.dmp

Filesize
1.8MB

Download
memory/3000-32-0x00000000001E0000-0x00000000003B2000-memory.dmp

Filesize
1.8MB

Download