dcrat | 5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edc

Analysis

max time kernel
119s
max time network
111s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
Size

2.3MB
MD5

97fa326a760987d1c96801f65c705bb0
SHA1

7024cfcb2f42320212f08fada83916189131717c
SHA256

5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edc
SHA512

ad0a599a90f368c710349bec888a1a491ee59f5e3d5c8d6e2703691cb584f1fc9ca10a1dbc5c4cbd4c7e26c6779c48ad4104051f4fc1cad3d1691de04cc84aef
SSDEEP

49152:P581k6pWQwY9zhWLCGUdeuGMvLq0jvYQxk:P58C6pgTEO0jvYQ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2976	schtasks.exe	31

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2756-1-0x0000000000860000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/files/0x00050000000191f3-17.dat	dcrat
behavioral1/memory/1920-47-0x0000000000930000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/2880-64-0x0000000000030000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2400-72-0x0000000001110000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2512-80-0x0000000001220000-0x0000000001470000-memory.dmp	dcrat

Executes dropped EXE 9 IoCs

pid	Process
1920	System.exe
1556	System.exe
2880	System.exe
2400	System.exe
2512	System.exe
1904	System.exe
348	System.exe
2252	System.exe
308	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
15	pastebin.com
17	pastebin.com
19	pastebin.com
5	pastebin.com
7	pastebin.com
9	pastebin.com
4	pastebin.com
13	pastebin.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Network Sharing\1610b97d3ab4a7	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\27d1bcfc3c54e0	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5d45d65db7e624	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\OSPPSVC.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\OSPPSVC.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\b75386f1303e64	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\System.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Boot\System.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Web\Wallpaper\Scenes\csrss.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Web\Wallpaper\Scenes\886983d96e3d3e	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..drivermanager-trace_31bf3856ad364e35_6.1.7601.17514_none_817af6649fbc1ed4\audiodg.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\AppPatch\it-IT\WMIADAP.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\AppPatch\it-IT\75a57c1bdf437c	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe
1544	schtasks.exe
2656	schtasks.exe
2644	schtasks.exe
2936	schtasks.exe
2168	schtasks.exe
2376	schtasks.exe
2412	schtasks.exe
1736	schtasks.exe
2504	schtasks.exe
2156	schtasks.exe
2848	schtasks.exe
2972	schtasks.exe
1896	schtasks.exe
2000	schtasks.exe
1224	schtasks.exe
1576	schtasks.exe
2612	schtasks.exe
1656	schtasks.exe
1484	schtasks.exe
1984	schtasks.exe
2716	schtasks.exe
2556	schtasks.exe
2228	schtasks.exe
2052	schtasks.exe
1052	schtasks.exe
2280	schtasks.exe
2816	schtasks.exe
2864	schtasks.exe
2336	schtasks.exe
1584	schtasks.exe
2360	schtasks.exe
2512	schtasks.exe
2348	schtasks.exe
2272	schtasks.exe
1124	schtasks.exe
1408	schtasks.exe
472	schtasks.exe
2088	schtasks.exe
684	schtasks.exe
2184	schtasks.exe
2140	schtasks.exe
3000	schtasks.exe
2900	schtasks.exe
1972	schtasks.exe
840	schtasks.exe
1660	schtasks.exe
2372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
1920	System.exe
1556	System.exe
2880	System.exe
2400	System.exe
2512	System.exe
1904	System.exe
348	System.exe
2252	System.exe
308	System.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
Token: SeDebugPrivilege	1920	System.exe
Token: SeDebugPrivilege	1556	System.exe
Token: SeDebugPrivilege	2880	System.exe
Token: SeDebugPrivilege	2400	System.exe
Token: SeDebugPrivilege	2512	System.exe
Token: SeDebugPrivilege	1904	System.exe
Token: SeDebugPrivilege	348	System.exe
Token: SeDebugPrivilege	2252	System.exe
Token: SeDebugPrivilege	308	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1920	2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	80
PID 2756 wrote to memory of 1920	2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	80
PID 2756 wrote to memory of 1920	2756	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	80
PID 1920 wrote to memory of 2772	1920	System.exe	81
PID 1920 wrote to memory of 2772	1920	System.exe	81
PID 1920 wrote to memory of 2772	1920	System.exe	81
PID 2772 wrote to memory of 2616	2772	cmd.exe	83
PID 2772 wrote to memory of 2616	2772	cmd.exe	83
PID 2772 wrote to memory of 2616	2772	cmd.exe	83
PID 2772 wrote to memory of 1556	2772	cmd.exe	84
PID 2772 wrote to memory of 1556	2772	cmd.exe	84
PID 2772 wrote to memory of 1556	2772	cmd.exe	84
PID 1556 wrote to memory of 1964	1556	System.exe	85
PID 1556 wrote to memory of 1964	1556	System.exe	85
PID 1556 wrote to memory of 1964	1556	System.exe	85
PID 1964 wrote to memory of 2340	1964	cmd.exe	87
PID 1964 wrote to memory of 2340	1964	cmd.exe	87
PID 1964 wrote to memory of 2340	1964	cmd.exe	87
PID 1964 wrote to memory of 2880	1964	cmd.exe	88
PID 1964 wrote to memory of 2880	1964	cmd.exe	88
PID 1964 wrote to memory of 2880	1964	cmd.exe	88
PID 2880 wrote to memory of 1012	2880	System.exe	89
PID 2880 wrote to memory of 1012	2880	System.exe	89
PID 2880 wrote to memory of 1012	2880	System.exe	89
PID 1012 wrote to memory of 1584	1012	cmd.exe	91
PID 1012 wrote to memory of 1584	1012	cmd.exe	91
PID 1012 wrote to memory of 1584	1012	cmd.exe	91
PID 1012 wrote to memory of 2400	1012	cmd.exe	92
PID 1012 wrote to memory of 2400	1012	cmd.exe	92
PID 1012 wrote to memory of 2400	1012	cmd.exe	92
PID 2400 wrote to memory of 1760	2400	System.exe	93
PID 2400 wrote to memory of 1760	2400	System.exe	93
PID 2400 wrote to memory of 1760	2400	System.exe	93
PID 1760 wrote to memory of 2416	1760	cmd.exe	95
PID 1760 wrote to memory of 2416	1760	cmd.exe	95
PID 1760 wrote to memory of 2416	1760	cmd.exe	95
PID 1760 wrote to memory of 2512	1760	cmd.exe	96
PID 1760 wrote to memory of 2512	1760	cmd.exe	96
PID 1760 wrote to memory of 2512	1760	cmd.exe	96
PID 2512 wrote to memory of 688	2512	System.exe	97
PID 2512 wrote to memory of 688	2512	System.exe	97
PID 2512 wrote to memory of 688	2512	System.exe	97
PID 688 wrote to memory of 1544	688	cmd.exe	99
PID 688 wrote to memory of 1544	688	cmd.exe	99
PID 688 wrote to memory of 1544	688	cmd.exe	99
PID 688 wrote to memory of 1904	688	cmd.exe	100
PID 688 wrote to memory of 1904	688	cmd.exe	100
PID 688 wrote to memory of 1904	688	cmd.exe	100
PID 1904 wrote to memory of 1524	1904	System.exe	101
PID 1904 wrote to memory of 1524	1904	System.exe	101
PID 1904 wrote to memory of 1524	1904	System.exe	101
PID 1524 wrote to memory of 2432	1524	cmd.exe	103
PID 1524 wrote to memory of 2432	1524	cmd.exe	103
PID 1524 wrote to memory of 2432	1524	cmd.exe	103
PID 1524 wrote to memory of 348	1524	cmd.exe	105
PID 1524 wrote to memory of 348	1524	cmd.exe	105
PID 1524 wrote to memory of 348	1524	cmd.exe	105
PID 348 wrote to memory of 2940	348	System.exe	106
PID 348 wrote to memory of 2940	348	System.exe	106
PID 348 wrote to memory of 2940	348	System.exe	106
PID 2940 wrote to memory of 2812	2940	cmd.exe	108
PID 2940 wrote to memory of 2812	2940	cmd.exe	108
PID 2940 wrote to memory of 2812	2940	cmd.exe	108
PID 2940 wrote to memory of 2252	2940	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
"C:\Users\Admin\AppData\Local\Temp\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Microsoft Sync Framework\System.exe
  "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2616
  - - C:\Program Files (x86)\Microsoft Sync Framework\System.exe
      "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2340
      - C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1584
        
        C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2432
        
        C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2812
        
        C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        17⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2848
        
        C:\Program Files (x86)\Microsoft Sync Framework\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\it-IT\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\it-IT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN5" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN5" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
223B

MD5
2272a37a9b025e7c848dd6b3de9814c8

SHA1
3abab9a989c0849d3e355e0c564388474cd8cfc4

SHA256
e2edf75a7b52a94a1c77eefb5b9941cf4d063b51185e5467265aa76821ec6166

SHA512
b385fd7fba23d8f32fe4b0153dc90c8eba7150da0aa779e70fc6fcf8a1a44ecbb98f8302c557004275d30a486aa1756b7fc1c42f0c0d7bd6c72f1171ebeec01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat

Filesize
223B

MD5
4b6246ce12c3de687d9fc48e74e8d96e

SHA1
75580d55270aa3160423f37321de537ebfee3d27

SHA256
d154f8736c2f18d5967a611a46c8110aed3dfbb8f9a7931acc30c9fcc0851d3a

SHA512
929c33ffecb849f2cdc15e9cef76398d08e15b0abb7ec1a3962865cad4045ac8c2ca091be03cb38a33edf6e7bed711af603ae2275698e1e17d4607e8c3a44fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat

Filesize
223B

MD5
f94e32842f5bda67a584144483ee7e9e

SHA1
cfc1cff79d194c556fa1631be2c6293b8c76d9c4

SHA256
964f710f6321bb509489ab3fecb43b2c0ba705c4347a1e8a35508c69023f15ef

SHA512
4b1db09466f91f247ce7d68278b959c87c0ccbccc1c63487a7d929878c2bde0c6afe00fc5d127a7cb1d32df0f4275e233bcf115b7595d282d35a5dc3c9422ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
223B

MD5
f33b294ee4869f5983085abddc11b524

SHA1
a25f022b644496295433eb486bd3fa41c93ae2c3

SHA256
b5528ffcd5c8d3df6b46504b7d42392304f43187737fd15bf48ce24a1f43c8a2

SHA512
59be112bc0be3b1d0a61adb4353eae054a8b9ea4bd2a887e469f62161f74d68bad209fc21dd6f9920812d9cfa49ec42388b7d5677cd35511c98f977baf8403ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

Filesize
223B

MD5
b68a7c2149bf97e2debd3a884ff6045b

SHA1
46d4b8d55be29e996137b15b6c4672eb4819e38c

SHA256
e1e5e9daaa2503e5e9b9d3c9bcc09ed43710d5e90367ef60c4bb5bdd3936898a

SHA512
63704bcf0aca5923c4e0f2db826783c3ffee1780d921a3865f71cc6a64cb9f529b79a407117dd5e77eb397ba750d4af06f406e91d8346eff7e226efe4505ca1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
223B

MD5
d5863205136c37af85dfe626db4c7796

SHA1
c479ede07f225c81e14dd04d4886ae2c4665125f

SHA256
50b493b7bc345636bdafed4e07d73f93c53cf115d8af0c2d450e3ac1c15f3ab8

SHA512
5cfb5537bf24d6df7db754235288a65c456f65771eb1aa0020ecdf5859dda2fedd2937fa1ea416b8cdb78399d98cc5f65aa81c27eed4e401675c822615dfbf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
223B

MD5
600cb9a25187702823abe900336dce73

SHA1
212f294340c98a4ca18ad571d3e5d1d7759598ff

SHA256
37851587899cdf76ff7653ac41152cab9fe78a8ffea76b05dbc0b3980c327675

SHA512
5d2fea1e7705d1ce4b7fde716883662d06bcc53a42cbe93331853de7fcf98ecbc9b5a51cf1d21457bdacf5b10d4a2db0e613dbb64e7f7f8f2c88a8916690efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
223B

MD5
afa878978fbde5311ddceccb2d544601

SHA1
9f5a3c02e820baffae599788eaa8c2cae85e01a6

SHA256
83d1a4507e03d6d613e3f6389f6ec87f62c2f83d5f6a286b7b7d59f1d801daf8

SHA512
cec365b48517998f2d5dadc1bbf4ffdcfbd82226b77e4ff27522b3984a2bd7ce039429b4a6b97c33f15976175eb3b4fa6f1a6bd557190631d8e475be64424268

Download Submit
C:\Windows\AppPatch\it-IT\WMIADAP.exe

Filesize
2.3MB

MD5
97fa326a760987d1c96801f65c705bb0

SHA1
7024cfcb2f42320212f08fada83916189131717c

SHA256
5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edc

SHA512
ad0a599a90f368c710349bec888a1a491ee59f5e3d5c8d6e2703691cb584f1fc9ca10a1dbc5c4cbd4c7e26c6779c48ad4104051f4fc1cad3d1691de04cc84aef

Download Submit
memory/348-95-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1556-57-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/1904-88-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1920-47-0x0000000000930000-0x0000000000B80000-memory.dmp

Filesize
2.3MB

Download
memory/1920-49-0x00000000020A0000-0x00000000020F6000-memory.dmp

Filesize
344KB

Download
memory/1920-50-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2252-102-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/2400-73-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2400-72-0x0000000001110000-0x0000000001360000-memory.dmp

Filesize
2.3MB

Download
memory/2512-81-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2512-80-0x0000000001220000-0x0000000001470000-memory.dmp

Filesize
2.3MB

Download
memory/2756-7-0x0000000002110000-0x000000000211E000-memory.dmp

Filesize
56KB

Download
memory/2756-48-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-8-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2756-0-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

Filesize
4KB

Download
memory/2756-6-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/2756-5-0x00000000020C0000-0x0000000002116000-memory.dmp

Filesize
344KB

Download
memory/2756-4-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/2756-3-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2756-2-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-1-0x0000000000860000-0x0000000000AB0000-memory.dmp

Filesize
2.3MB

Download
memory/2880-64-0x0000000000030000-0x0000000000280000-memory.dmp

Filesize
2.3MB

Download
memory/2880-65-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download