dcrat | b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4

Resubmissions

14-01-2025 03:03

250114-dkgznaxmaq 10

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
Size

6.5MB
MD5

dd045e7803ef620069b0e90d9128375f
SHA1

983de7fc238cac0de7b2d74b86617501dbbfc9c6
SHA256

b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4
SHA512

3ef80acad4b09dbb84835520f249c3970f0574156e77155f496dddb46927d407773315f34c4c38277e34825ac6401159b5df06776140b20fb9f820f0a4859886
SSDEEP

196608:nuaAxSTZLvD6/x1R92cJUMo7xS6eUEMW42:nRAh5n9/GMolS6eyWZ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	228	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	228	schtasks.exe	93

DCRat payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9a-58.dat	family_dcrat_v2
behavioral2/memory/4808-59-0x0000000000400000-0x00000000004FD000-memory.dmp	family_dcrat_v2
behavioral2/memory/848-60-0x0000000000180000-0x0000000000246000-memory.dmp	family_dcrat_v2
behavioral2/memory/4808-55-0x0000000000400000-0x00000000004FD000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	yv6fCRbFlC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 21 IoCs

pid	Process
3968	svchost.exe
1868	explorer.exe
4432	FTaYPRl6l7.exe
848	yv6fCRbFlC.exe
4016	sihost.exe
1204	sihost.exe
1992	sihost.exe
5100	sihost.exe
1648	sihost.exe
796	sihost.exe
4160	sihost.exe
468	sihost.exe
1720	sihost.exe
768	sihost.exe
4324	sihost.exe
5060	sihost.exe
4320	sihost.exe
3444	sihost.exe
4412	sihost.exe
5084	sihost.exe
2272	sihost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3968	svchost.exe
3968	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 4808	1868	explorer.exe	88

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\dwm.exe	yv6fCRbFlC.exe
File created	C:\Windows\Resources\Ease of Access Themes\6cb0b6c459d5d3	yv6fCRbFlC.exe
File created	C:\Windows\Fonts\smss.exe	yv6fCRbFlC.exe
File created	C:\Windows\Fonts\69ddcba757bf72	yv6fCRbFlC.exe
File created	C:\Windows\AppReadiness\sihost.exe	yv6fCRbFlC.exe
File opened for modification	C:\Windows\AppReadiness\sihost.exe	yv6fCRbFlC.exe
File created	C:\Windows\AppReadiness\66fc9ff0ee96c2	yv6fCRbFlC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4304	PING.EXE
3660	PING.EXE
2788	PING.EXE
3508	PING.EXE
3688	PING.EXE
3872	PING.EXE
1840	PING.EXE
1968	PING.EXE
3296	PING.EXE
3492	PING.EXE
1608	PING.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	yv6fCRbFlC.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
3660	PING.EXE
1608	PING.EXE
3872	PING.EXE
1840	PING.EXE
3492	PING.EXE
1968	PING.EXE
4304	PING.EXE
2788	PING.EXE
3508	PING.EXE
3296	PING.EXE
3688	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3136	schtasks.exe
2676	schtasks.exe
2004	schtasks.exe
1600	schtasks.exe
3576	schtasks.exe
4320	schtasks.exe
416	schtasks.exe
1544	schtasks.exe
3960	schtasks.exe
4556	schtasks.exe
2308	schtasks.exe
3416	schtasks.exe
1636	schtasks.exe
2136	schtasks.exe
1224	schtasks.exe
4360	schtasks.exe
2572	schtasks.exe
892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	svchost.exe
3968	svchost.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe
848	yv6fCRbFlC.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	yv6fCRbFlC.exe
Token: SeDebugPrivilege	4016	sihost.exe
Token: SeDebugPrivilege	1204	sihost.exe
Token: SeDebugPrivilege	1992	sihost.exe
Token: SeDebugPrivilege	5100	sihost.exe
Token: SeDebugPrivilege	1648	sihost.exe
Token: SeDebugPrivilege	796	sihost.exe
Token: SeDebugPrivilege	4160	sihost.exe
Token: SeDebugPrivilege	468	sihost.exe
Token: SeDebugPrivilege	1720	sihost.exe
Token: SeDebugPrivilege	768	sihost.exe
Token: SeDebugPrivilege	4324	sihost.exe
Token: SeDebugPrivilege	5060	sihost.exe
Token: SeDebugPrivilege	4320	sihost.exe
Token: SeDebugPrivilege	3444	sihost.exe
Token: SeDebugPrivilege	4412	sihost.exe
Token: SeDebugPrivilege	5084	sihost.exe
Token: SeDebugPrivilege	2272	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3968	2260	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	83
PID 2260 wrote to memory of 3968	2260	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	83
PID 2260 wrote to memory of 1868	2260	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	85
PID 2260 wrote to memory of 1868	2260	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	85
PID 2260 wrote to memory of 1868	2260	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	85
PID 1868 wrote to memory of 2836	1868	explorer.exe	87
PID 1868 wrote to memory of 2836	1868	explorer.exe	87
PID 1868 wrote to memory of 2836	1868	explorer.exe	87
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 1868 wrote to memory of 4808	1868	explorer.exe	88
PID 4808 wrote to memory of 4432	4808	RegAsm.exe	89
PID 4808 wrote to memory of 4432	4808	RegAsm.exe	89
PID 4808 wrote to memory of 848	4808	RegAsm.exe	90
PID 4808 wrote to memory of 848	4808	RegAsm.exe	90
PID 3968 wrote to memory of 2528	3968	svchost.exe	92
PID 3968 wrote to memory of 2528	3968	svchost.exe	92
PID 848 wrote to memory of 648	848	yv6fCRbFlC.exe	112
PID 848 wrote to memory of 648	848	yv6fCRbFlC.exe	112
PID 648 wrote to memory of 3628	648	cmd.exe	114
PID 648 wrote to memory of 3628	648	cmd.exe	114
PID 648 wrote to memory of 5048	648	cmd.exe	115
PID 648 wrote to memory of 5048	648	cmd.exe	115
PID 648 wrote to memory of 4016	648	cmd.exe	119
PID 648 wrote to memory of 4016	648	cmd.exe	119
PID 4016 wrote to memory of 1800	4016	sihost.exe	122
PID 4016 wrote to memory of 1800	4016	sihost.exe	122
PID 1800 wrote to memory of 1896	1800	cmd.exe	125
PID 1800 wrote to memory of 1896	1800	cmd.exe	125
PID 1800 wrote to memory of 1968	1800	cmd.exe	126
PID 1800 wrote to memory of 1968	1800	cmd.exe	126
PID 1800 wrote to memory of 1204	1800	cmd.exe	134
PID 1800 wrote to memory of 1204	1800	cmd.exe	134
PID 1204 wrote to memory of 3512	1204	sihost.exe	136
PID 1204 wrote to memory of 3512	1204	sihost.exe	136
PID 3512 wrote to memory of 4484	3512	cmd.exe	138
PID 3512 wrote to memory of 4484	3512	cmd.exe	138
PID 3512 wrote to memory of 4304	3512	cmd.exe	139
PID 3512 wrote to memory of 4304	3512	cmd.exe	139
PID 3512 wrote to memory of 1992	3512	cmd.exe	141
PID 3512 wrote to memory of 1992	3512	cmd.exe	141
PID 1992 wrote to memory of 416	1992	sihost.exe	144
PID 1992 wrote to memory of 416	1992	sihost.exe	144
PID 416 wrote to memory of 468	416	cmd.exe	146
PID 416 wrote to memory of 468	416	cmd.exe	146
PID 416 wrote to memory of 3412	416	cmd.exe	147
PID 416 wrote to memory of 3412	416	cmd.exe	147
PID 416 wrote to memory of 5100	416	cmd.exe	150
PID 416 wrote to memory of 5100	416	cmd.exe	150
PID 5100 wrote to memory of 396	5100	sihost.exe	152
PID 5100 wrote to memory of 396	5100	sihost.exe	152
PID 396 wrote to memory of 544	396	cmd.exe	154
PID 396 wrote to memory of 544	396	cmd.exe	154
PID 396 wrote to memory of 3660	396	cmd.exe	155
PID 396 wrote to memory of 3660	396	cmd.exe	155
PID 396 wrote to memory of 1648	396	cmd.exe	157
PID 396 wrote to memory of 1648	396	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
"C:\Users\Admin\AppData\Local\Temp\b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Roaming\FTaYPRl6l7.exe
      "C:\Users\Admin\AppData\Roaming\FTaYPRl6l7.exe"
      4⤵
      Executes dropped EXE
      PID:4432
  - - C:\Users\Admin\AppData\Roaming\yv6fCRbFlC.exe
      "C:\Users\Admin\AppData\Roaming\yv6fCRbFlC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2JKFfe3zP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3628
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5048
      - C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J25HRAKNbZ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p3fxByWxmm.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4304
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vfMyBrE4tG.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3412
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3660
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hyKfCYp7HR.bat"
        15⤵
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XJaDrOzS3U.bat"
        17⤵
        
        PID:4660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vpvxsr0lge.bat"
        19⤵
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1788
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat"
        21⤵
        
        PID:4176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3508
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EKfL32T79I.bat"
        23⤵
        
        PID:4200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2464
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat"
        25⤵
        
        PID:408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3296
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vpvxsr0lge.bat"
        27⤵
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1180
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eGpHjHqZig.bat"
        29⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3512
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat"
        31⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3688
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jD9ngJpyTM.bat"
        33⤵
        
        PID:460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3872
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fVfPD2qQtb.bat"
        35⤵
        
        PID:3644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:2556
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0OmuZz5KLX.bat"
        37⤵
        
        PID:4048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1840
        
        C:\Windows\AppReadiness\sihost.exe
        
        "C:\Windows\AppReadiness\sihost.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat"
        39⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yv6fCRbFlCy" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\yv6fCRbFlC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yv6fCRbFlC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\yv6fCRbFlC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yv6fCRbFlCy" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\yv6fCRbFlC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
04d89472c65d3bbaa3a172551b5c71e1

SHA1
b9f21e7cac5c00602ee172f2752c568d5dd26121

SHA256
e8d0e562df3559ad023471fd3ea147e4c3892365b0dfcf0632dfa9c98336e105

SHA512
665109418a1f4bf3f54bf4b87321595a3acf8114d5e2874db245b00b41dc98cfbcb77a2542f711a9146c849bfbf7163bcab286f8fc1774a48cf39b611cddee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0OmuZz5KLX.bat

Filesize
162B

MD5
d1d5c7013438456a46069138d2c491c4

SHA1
761b36c6fd51ec8bc9d52d47a159cccd7c039dfc

SHA256
51333b690c94b7ba5978842211ab62b1c5b860eccf752bb7ff4a3852a4f70d50

SHA512
4926984605bd00b2b3b28af414d199296d404853d7017702b2596e3fc512e1acc2517c9d7267fe9a3f2d417f0ff777dd7638c33147daed5df422f9a2d928224f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKfL32T79I.bat

Filesize
210B

MD5
1a1d0735bdd2912f6d600ba509ceb049

SHA1
1648acaf042d509e3fb5533910304bb540018967

SHA256
fd7ccd1832f3a46d6020512959c07047a121b237b0d88fc1e9d7ae50bc8b5b60

SHA512
674b60ba5c464cb9beb7b2f54b88fe45b873852fc1130c5e20c17a76ac24c757306475a18c1f829a2bc8f1ae3c5261b08d8f57e5ed609579f694ee5c0b4616ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat

Filesize
162B

MD5
62d3d3c6a2ce5485441151e0ff8fc1e9

SHA1
39c51a00edbc42ca548645e823f69f786d15826a

SHA256
84276c6555619037b9512e76a7357f791bb59ff6801396fa94438c82f39b070f

SHA512
79cdb8fd4ef33d9e977d00b5bc52704f0ca91d4d87e8070cb9fc787a7986465e87247478a405c78c3f51f5589c84fbdb697db27a6640927bde28e72aba071b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\J25HRAKNbZ.bat

Filesize
162B

MD5
dcfb39f63335397a853000ddbc2a744c

SHA1
7dcd584055a29d783bbd014058a1e3718d4409d4

SHA256
76ddb639da70ad05e8dd098215f467e0dbbaf088a666fcf20b0159eeca73446f

SHA512
32cdee26f858e931b5f14867002a55cb5ccd4b223c26da5e8175409a82303d044c97f0fe13e51477ad4cabecac27f7e95ef6b785bccbbab9311d3a0c12c0aa32

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat

Filesize
162B

MD5
41caba79682e83c280e96d0388df7f08

SHA1
bec6b9c1550f7ad683746566ed5fc3368eace0d2

SHA256
78066cd34603c8d5a1a56113ff35bf65057e2257bc7fda9e0dc2d7bd8be6374d

SHA512
25dfd159b3af1d13b70745b8e7f0acbdd85708852caa08b7e7aa8338282cb3d5209d689600fbc4424e3d06882186e68b4f9ec9c0f22866d6fad1ccc531c8af0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat

Filesize
162B

MD5
d365ca1384b5618b5c39d77073df2a5f

SHA1
8bf76c66edb02a09f4babef2e3769f49d4518a54

SHA256
4365b61a992a9de8acac543bb1aeb8fbf537c7db441e2ca9c2b61738136ea480

SHA512
9bc6131f777e5b68bc204b3ab752d0fc39601fd4fb2baaa8daa891199215389b9f157f4478c4c126f3c20f9c8bb556dfdccba8e9288e29afefc2c4b035ae1527

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vpvxsr0lge.bat

Filesize
210B

MD5
8ebb7a58795f314728f2e89165e8822a

SHA1
9a501fdabaa271b0ede601e018fea80b0852b613

SHA256
efc99f7573f82841d98918a92288350a3b580c9ea756f3a081cfa5eee5bf168d

SHA512
927a5834ffa594f08350dd93a2af8574c3d7b09feee03434532a56fb165c3f5b10a58251ca84eef07c9fcd5c7fd713ce264e13beea8a6783aa140580ad85d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJaDrOzS3U.bat

Filesize
162B

MD5
12997b23d7908d29050fbe0c26b8b245

SHA1
447da5cae6ac0b29cf075afc98a40d35a1421dbe

SHA256
45552eec6be5c63330527d30fbdd7a5d941708f26094f45403a91d1d113a9f56

SHA512
8348e6682927a177f7c00dd62d0ecac37f7df77c5bdfb198e21b4649a6e8174abfcb37dc74a06230eb958277ac5b277826321b8a43f6c0b4729f00fdb27c965f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat

Filesize
162B

MD5
de0e9c8bf94051299849debdff1c3bb9

SHA1
361033bab957dd3cb40d18629df4b920ebc89ab1

SHA256
4329180dc9a60d8ac13d157e6b86bd02b0af4e06e149e53c1c89b2b41805932c

SHA512
15d4891e9705dab89975c952af5c151a7b920ffc52cfbfd88cfa3eac85973e27e5b8035f61dae5a5bc091151e1e901780aed2b1f0ab6058fc1c79655c0621059

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGpHjHqZig.bat

Filesize
210B

MD5
18f330c955d91d3e1dfb4a0e762720ee

SHA1
5f68eebdf4ac6fb99188512f620f46c7b2be1a6c

SHA256
809a1ff4e84dce6e22b99f03e259c532d48cb52896a9ddf913b8ee52f7f8f882

SHA512
d6d2aa2f27360b861c8e06733aa8513454a059a1946ddf13d8160d4ba465e85092a5e91ae52c40c400083d94daa90678d8eb2b55ec18f9cdcb9a03b13cdd4fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1009KB

MD5
37248e1253355bc6e356e31346f35e30

SHA1
76a4c49df25f3621ef38426d726eafd9f67be20b

SHA256
917c39f77f2a2851383d506c884cc114a992c5e15d0c2993625a4b9186e26ad4

SHA512
1e4f5eb77fed7a1a25f6684fcd42b3097e666ea942995027cf9eab3d4f176eed8c2c9f561cf6e53e8769890fcbf08e559cbe9c05d42ae8ce2dbecb8c7733fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVfPD2qQtb.bat

Filesize
210B

MD5
821f4d94c5732d8f8098ba6ea66fc78d

SHA1
9f01016f53f2aace0056930c29d0e75740d3e011

SHA256
b8d25b1d38d400eb499c0b51b0a9765ce44873479e055457fa8a68b85fd6042b

SHA512
bb2467126fc015f20becee0044256ee75975c8d2c678a38458234f52de0c05f781c4ad12458f820a0643f2715f6691a0b2764525038076dd0ad9539fa3276ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat

Filesize
162B

MD5
5e2874a473008bc5de216ceeb99b04c8

SHA1
6b41229802e3c7b66223540fbf52a2aea8d5ce96

SHA256
9482d9847f5a5d377c3be16614cb6a9d5150647bc05787b3e3368c2cc21c68a5

SHA512
d2d563e4128fa82a710282ab24e90466630817529d39d60356e203e84595b0dbf2826fd031e9ed787f4a2737c1f7497f6fc421f7eb9d9349453aae60c521f35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyKfCYp7HR.bat

Filesize
162B

MD5
c27aad9cf19945e18a266bd666530b8d

SHA1
b5fe2bb6b7d214f994fa4890474153e7bf2f70f9

SHA256
f6cbec250da4bfcc5db8e7898edeb4608809e2667c7fa7260ae835e8681cde14

SHA512
d1e4c07756f19cabfb8f24f9564af34cac4c840bb21871619cc75c7ce8b1c018d06a5b6cf24e144198d9b2bce040d39b0694b3499a66fb75bdc1de8e61059687

Download Submit
C:\Users\Admin\AppData\Local\Temp\jD9ngJpyTM.bat

Filesize
162B

MD5
969cf3d6d2a196864d0baae96ce25907

SHA1
85f13050c80fa79ce8d2eb7da5e50d952b00f28d

SHA256
f08de3374b2edbace9924092e8c932d72e3aa929f3fda1aac2524abc46084747

SHA512
452bdc9c458733bc27d0078212e4e67000dd862bfcebd4204eebec4466d7c6170f11c2ddd34696bce6c02bd6567ae89fb90113fac59c4cdb0f70c84b86dc77c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2JKFfe3zP.bat

Filesize
210B

MD5
3dcd3a96a0c4b47a88d8e9b88ec01797

SHA1
63d5384092f3ae9677b8e1b4253b8e25160d46c5

SHA256
47701f40044c289fe2fc9689b516de31ed512932091466d7443bd0a7fb7ac260

SHA512
06fae170da16ca59fd43e3fd7c3326d552d4a879bbaeeb7a43289fd380359a489f8b19d43c011467055f2814d6243579238a1669f02745df996dd88003452a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3fxByWxmm.bat

Filesize
162B

MD5
c33fd4965775973207458b8d1535e8d6

SHA1
fd6c1832ffea4070eb5839c6cd0ee25d385e1c4a

SHA256
64b198406907a2f01041e9d20d10a8d3b9d9ac9ffc36e8130f9e2231f406c5a0

SHA512
1a775e9beb91c97df6da39ba507b6d93d663e819fb2397f510154022387dc1cca0f10e671a9a2a779be9fb6bfa9368cfc1a0f3104df3d322151f0128e4339dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
5.5MB

MD5
52aaa8c3fd6b813b713ae05ab9e4829c

SHA1
d4ac8addbe5e15e867afe58f4bbb8319395ad38e

SHA256
0c30d4cb510304d4ce140952f8ce316056cc4bc552cef78a81fd5301aecc1fd2

SHA512
c39bba95a8554f1115d0362bad33901fd87e00d5de7671cd48d7b537c97889882b9009a83948087cf8516a32588e4ef831531977740b17a2791cec927934fdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfMyBrE4tG.bat

Filesize
210B

MD5
37f369c8b6ab1af343c8317164f00c92

SHA1
d006795b4ce78b13e4a6e77c838f2c8685575d73

SHA256
73970ada7514213f58d96c8a9226e2b3019d9e50d1cb6ab9b36c7d5bc464e9a5

SHA512
bf6c0924292da9dbec44b14f3ccaa029f98be3f89eaca1ad11125ea7d9197a7171b6e2309f95788130e66c99e8047e3657a94a4edf80928d8878b4c027faf221

Download Submit
C:\Users\Admin\AppData\Roaming\FTaYPRl6l7.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\yv6fCRbFlC.exe

Filesize
768KB

MD5
e3aae84e507657a2a81745500460f5f7

SHA1
dd53b7b8b0eab343f1ed3f0983326bc433304110

SHA256
b8f3077a6dd5d704139f7ccfe6e453adf3ebc0100c617fd2c9f3c51650a0ea25

SHA512
4bee0f7325bdb02528e78d21f65ccbdc9450316d6681022ddc6c85540a4a6b22c4cc4cfda36824a4e5c17a9b1f66845b61c82d822806dde1e006b9cee7da5d66

Download Submit
memory/848-68-0x00000000021F0000-0x000000000220C000-memory.dmp

Filesize
112KB

Download
memory/848-69-0x0000000002280000-0x00000000022D0000-memory.dmp

Filesize
320KB

Download
memory/848-73-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/848-66-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/848-60-0x0000000000180000-0x0000000000246000-memory.dmp

Filesize
792KB

Download
memory/848-71-0x0000000002220000-0x0000000002238000-memory.dmp

Filesize
96KB

Download
memory/1868-27-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/1868-25-0x0000000000CF0000-0x0000000000DF2000-memory.dmp

Filesize
1.0MB

Download
memory/1868-34-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/1992-125-0x000000001B120000-0x000000001B222000-memory.dmp

Filesize
1.0MB

Download
memory/2260-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000000CE0000-0x000000000136C000-memory.dmp

Filesize
6.5MB

Download
memory/2260-2-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

Filesize
624KB

Download
memory/3968-63-0x0000000140000000-0x00000001408C1000-memory.dmp

Filesize
8.8MB

Download
memory/3968-36-0x000000014000E000-0x0000000140347000-memory.dmp

Filesize
3.2MB

Download
memory/3968-62-0x00007FF95E980000-0x00007FF95E982000-memory.dmp

Filesize
8KB

Download
memory/3968-61-0x00007FF95E970000-0x00007FF95E972000-memory.dmp

Filesize
8KB

Download
memory/3968-104-0x000000014000E000-0x0000000140347000-memory.dmp

Filesize
3.2MB

Download
memory/4808-59-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4808-28-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4808-31-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4808-35-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4808-30-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4808-55-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download