dcrat | f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007c92b8ad2188efb216f2699a386238.exe
Size

1.1MB
MD5

007c92b8ad2188efb216f2699a386238
SHA1

c780a61bde93f59fa404ed217707f99e86f0c1fd
SHA256

f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc
SHA512

df65a0fb78ec1453921c8861f73d6dc8379797646d6aa66b7d20ea06bf7688fe4f009d720565c5075724a0da0d657b2bcdc5c4c0717e9ffcabf3d54123ce9e3b
SSDEEP

24576:U2G/nvxW3Ww0tSUtIrZBMreAydD8FVgMjt2:UbA30SaIrfAUD8rM

Score

10^/10

dcrat defense_evasion discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2896	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000193be-9.dat	dcrat
behavioral1/memory/2860-13-0x0000000000AC0000-0x0000000000B96000-memory.dmp	dcrat
behavioral1/memory/2328-55-0x0000000001360000-0x0000000001436000-memory.dmp	dcrat
behavioral1/memory/1496-74-0x00000000001A0000-0x0000000000276000-memory.dmp	dcrat
behavioral1/memory/2944-81-0x0000000001060000-0x0000000001136000-memory.dmp	dcrat
behavioral1/memory/1888-106-0x0000000000050000-0x0000000000126000-memory.dmp	dcrat
behavioral1/memory/376-113-0x00000000011C0000-0x0000000001296000-memory.dmp	dcrat

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 12 IoCs

pid	Process
2860	componentMonitornet.exe
2328	taskhost.exe
1984	taskhost.exe
2244	taskhost.exe
1496	taskhost.exe
2944	taskhost.exe
2860	taskhost.exe
1944	taskhost.exe
3024	taskhost.exe
1888	taskhost.exe
376	taskhost.exe
484	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
11	pastebin.com
13	pastebin.com
23	pastebin.com
21	pastebin.com
25	pastebin.com
5	pastebin.com
7	pastebin.com
9	pastebin.com
15	pastebin.com
17	pastebin.com
19	pastebin.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\de-DE\dwm.exe	componentMonitornet.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Idle.exe	componentMonitornet.exe
File created	C:\Program Files\Uninstall Information\smss.exe	componentMonitornet.exe
File created	C:\Program Files\7-Zip\Lang\24dbde2999530e	componentMonitornet.exe
File created	C:\Program Files\DVD Maker\de-DE\088424020bedd6	componentMonitornet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe	componentMonitornet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\69ddcba757bf72	componentMonitornet.exe
File created	C:\Program Files\Windows Mail\de-DE\dwm.exe	componentMonitornet.exe
File created	C:\Program Files\Windows Mail\de-DE\6cb0b6c459d5d3	componentMonitornet.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6ccacd8608530f	componentMonitornet.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	componentMonitornet.exe
File created	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	componentMonitornet.exe
File created	C:\Program Files\DVD Maker\de-DE\conhost.exe	componentMonitornet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\smss.exe	componentMonitornet.exe
File created	C:\Windows\fr-FR\69ddcba757bf72	componentMonitornet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	007c92b8ad2188efb216f2699a386238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2008	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
3064	schtasks.exe
776	schtasks.exe
1444	schtasks.exe
2824	schtasks.exe
2924	schtasks.exe
1668	schtasks.exe
2380	schtasks.exe
2020	schtasks.exe
2652	schtasks.exe
380	schtasks.exe
1888	schtasks.exe
1660	schtasks.exe
708	schtasks.exe
868	schtasks.exe
2292	schtasks.exe
2636	schtasks.exe
2608	schtasks.exe
1516	schtasks.exe
744	schtasks.exe
2056	schtasks.exe
1620	schtasks.exe
2136	schtasks.exe
2216	schtasks.exe
2772	schtasks.exe
2272	schtasks.exe
2084	schtasks.exe
924	schtasks.exe
1816	schtasks.exe
1460	schtasks.exe
1532	schtasks.exe
1800	schtasks.exe
1936	schtasks.exe
2796	schtasks.exe
2348	schtasks.exe
1432	schtasks.exe
1920	schtasks.exe
1968	schtasks.exe
1988	schtasks.exe
1740	schtasks.exe
2088	schtasks.exe
772	schtasks.exe
604	schtasks.exe
1152	schtasks.exe
1380	schtasks.exe
1944	schtasks.exe
2880	schtasks.exe
2788	schtasks.exe
3036	schtasks.exe
2396	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2860	componentMonitornet.exe
2860	componentMonitornet.exe
2860	componentMonitornet.exe
2328	taskhost.exe
1984	taskhost.exe
2244	taskhost.exe
1496	taskhost.exe
2944	taskhost.exe
2860	taskhost.exe
1944	taskhost.exe
3024	taskhost.exe
1888	taskhost.exe
376	taskhost.exe
484	taskhost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	componentMonitornet.exe
Token: SeDebugPrivilege	2328	taskhost.exe
Token: SeDebugPrivilege	1984	taskhost.exe
Token: SeDebugPrivilege	2244	taskhost.exe
Token: SeDebugPrivilege	1496	taskhost.exe
Token: SeDebugPrivilege	2944	taskhost.exe
Token: SeDebugPrivilege	2860	taskhost.exe
Token: SeDebugPrivilege	1944	taskhost.exe
Token: SeDebugPrivilege	3024	taskhost.exe
Token: SeDebugPrivilege	1888	taskhost.exe
Token: SeDebugPrivilege	376	taskhost.exe
Token: SeDebugPrivilege	484	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2284	2128	007c92b8ad2188efb216f2699a386238.exe	31
PID 2128 wrote to memory of 2284	2128	007c92b8ad2188efb216f2699a386238.exe	31
PID 2128 wrote to memory of 2284	2128	007c92b8ad2188efb216f2699a386238.exe	31
PID 2128 wrote to memory of 2284	2128	007c92b8ad2188efb216f2699a386238.exe	31
PID 2284 wrote to memory of 2716	2284	WScript.exe	32
PID 2284 wrote to memory of 2716	2284	WScript.exe	32
PID 2284 wrote to memory of 2716	2284	WScript.exe	32
PID 2284 wrote to memory of 2716	2284	WScript.exe	32
PID 2716 wrote to memory of 2860	2716	cmd.exe	34
PID 2716 wrote to memory of 2860	2716	cmd.exe	34
PID 2716 wrote to memory of 2860	2716	cmd.exe	34
PID 2716 wrote to memory of 2860	2716	cmd.exe	34
PID 2860 wrote to memory of 2316	2860	componentMonitornet.exe	87
PID 2860 wrote to memory of 2316	2860	componentMonitornet.exe	87
PID 2860 wrote to memory of 2316	2860	componentMonitornet.exe	87
PID 2316 wrote to memory of 2284	2316	cmd.exe	90
PID 2316 wrote to memory of 2284	2316	cmd.exe	90
PID 2316 wrote to memory of 2284	2316	cmd.exe	90
PID 2716 wrote to memory of 2008	2716	cmd.exe	89
PID 2716 wrote to memory of 2008	2716	cmd.exe	89
PID 2716 wrote to memory of 2008	2716	cmd.exe	89
PID 2716 wrote to memory of 2008	2716	cmd.exe	89
PID 2316 wrote to memory of 2328	2316	cmd.exe	91
PID 2316 wrote to memory of 2328	2316	cmd.exe	91
PID 2316 wrote to memory of 2328	2316	cmd.exe	91
PID 2328 wrote to memory of 2828	2328	taskhost.exe	92
PID 2328 wrote to memory of 2828	2328	taskhost.exe	92
PID 2328 wrote to memory of 2828	2328	taskhost.exe	92
PID 2828 wrote to memory of 2984	2828	cmd.exe	94
PID 2828 wrote to memory of 2984	2828	cmd.exe	94
PID 2828 wrote to memory of 2984	2828	cmd.exe	94
PID 2828 wrote to memory of 1984	2828	cmd.exe	95
PID 2828 wrote to memory of 1984	2828	cmd.exe	95
PID 2828 wrote to memory of 1984	2828	cmd.exe	95
PID 1984 wrote to memory of 1040	1984	taskhost.exe	96
PID 1984 wrote to memory of 1040	1984	taskhost.exe	96
PID 1984 wrote to memory of 1040	1984	taskhost.exe	96
PID 1040 wrote to memory of 1880	1040	cmd.exe	98
PID 1040 wrote to memory of 1880	1040	cmd.exe	98
PID 1040 wrote to memory of 1880	1040	cmd.exe	98
PID 1040 wrote to memory of 2244	1040	cmd.exe	99
PID 1040 wrote to memory of 2244	1040	cmd.exe	99
PID 1040 wrote to memory of 2244	1040	cmd.exe	99
PID 2244 wrote to memory of 2072	2244	taskhost.exe	100
PID 2244 wrote to memory of 2072	2244	taskhost.exe	100
PID 2244 wrote to memory of 2072	2244	taskhost.exe	100
PID 2072 wrote to memory of 1552	2072	cmd.exe	102
PID 2072 wrote to memory of 1552	2072	cmd.exe	102
PID 2072 wrote to memory of 1552	2072	cmd.exe	102
PID 2072 wrote to memory of 1496	2072	cmd.exe	103
PID 2072 wrote to memory of 1496	2072	cmd.exe	103
PID 2072 wrote to memory of 1496	2072	cmd.exe	103
PID 1496 wrote to memory of 1660	1496	taskhost.exe	104
PID 1496 wrote to memory of 1660	1496	taskhost.exe	104
PID 1496 wrote to memory of 1660	1496	taskhost.exe	104
PID 1660 wrote to memory of 1456	1660	cmd.exe	106
PID 1660 wrote to memory of 1456	1660	cmd.exe	106
PID 1660 wrote to memory of 1456	1660	cmd.exe	106
PID 1660 wrote to memory of 2944	1660	cmd.exe	107
PID 1660 wrote to memory of 2944	1660	cmd.exe	107
PID 1660 wrote to memory of 2944	1660	cmd.exe	107
PID 2944 wrote to memory of 2732	2944	taskhost.exe	108
PID 2944 wrote to memory of 2732	2944	taskhost.exe	108
PID 2944 wrote to memory of 2732	2944	taskhost.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\007c92b8ad2188efb216f2699a386238.exe
"C:\Users\Admin\AppData\Local\Temp\007c92b8ad2188efb216f2699a386238.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockdriverintoRefdhcp\zjUQC6Kcs7ptRMsTAo49SRrfh.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockdriverintoRefdhcp\IJdp5Y1jjSlcQsS9.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\blockdriverintoRefdhcp\componentMonitornet.exe
      "C:\blockdriverintoRefdhcp\componentMonitornet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KXX41oZKKt.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2284
      - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2984
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1880
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1552
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1456
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        15⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2868
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        17⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2308
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        19⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1476
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        21⤵
        
        PID:292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:768
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
        23⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2420
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        25⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2468
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        27⤵
        
        PID:1456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\blockdriverintoRefdhcp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\blockdriverintoRefdhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\blockdriverintoRefdhcp\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\blockdriverintoRefdhcp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\blockdriverintoRefdhcp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\blockdriverintoRefdhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\blockdriverintoRefdhcp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\blockdriverintoRefdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
226B

MD5
058a6e7666f825aec8012b0bd5d2b70f

SHA1
01a567a4034be576988ae1b6aa00bbe46393ff2d

SHA256
01e9459a3cda73e03269a2f14167b77062f87bbe5a40e43343280bcbb2b36a90

SHA512
83612dbaef04cb46688b8ec5a151b11cf02955252026967ce4c76ab5665df5c23e6a414b32c66a6b535c196254b3560a16e6924469ee9a31c991e3ef10b57ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
226B

MD5
7dd26f5677adba7083cdab0a9224ce45

SHA1
226a1ab120f0f1544a32c8905e76a07039d4c165

SHA256
b3bcf3ba7e87d6013eaa5cbf88e280dadc721b2ffee5822153f759e817d49b95

SHA512
5a52cc7131ff4c2b78dbda4a272c4d3de7fa984230bc2cf88ef0c60c20cdc1686c79cd06933bbee43fc299d15572cc0dd13241c089f77b9b67c21d315e64fcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
226B

MD5
a73c1f21659367b04eeaceadd10af20e

SHA1
a8ebf27e1168800e5ea8bf775578d7a6422e9cd5

SHA256
953128eba650c07b07a101457e68f6307bdca8a4ce11297c07cc41eab5c9f60a

SHA512
47bc7e59ae7d6a258de105f3c2bc0ae146c23861f6367dba7a2226d2a7f3b8b99f0cc3f7f5035080b692ddce01c8effb44993a418bd223949a56b8e73a3e411b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXX41oZKKt.bat

Filesize
226B

MD5
f902a3454dee6749c2e4715d9dc342c1

SHA1
7b24d67355950678d414b8154cb6c3bc0345068e

SHA256
26d3b8751467512a4e30890f9fef1661e138c9f2d28ba23719f8154ffe4c5aab

SHA512
7b52d577516a08d7879a414eed0f9c13c281098270963f8111fec0af92ca10d5f32f892b17c3de01123f8a3fa1d207d64eb074bc8faaf9678d341b139e87da4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
226B

MD5
3e94a05a0512c70ff403cfa5d8c35fbe

SHA1
850eba9f6049e276d41f001fdba865e54a078db3

SHA256
45d25a0b8df4dc6ccf4e89570c0303b79fb9c1e7c7499b7b87be172ebb35dd68

SHA512
db1ecdfee7b970465e1557b462b0f3eed6f4cfbe1ad1e6e3680bc0c302accd11487be1907cc93a8a664d30acc08de80311ef36eb34ea3df7ebf80d48d95716f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
226B

MD5
f168860c6435b5416e9507b762d113fa

SHA1
30b31aa97c4cc9293f62624fff99239bead8f8ee

SHA256
ede8099a98c622c5048cac48fc85c1a01aedeb3809ccb197ba7b9c532aad0a2b

SHA512
7990d8d39fdd4d07ed1af843267c016b2e56d5277fdcbb6c8a4db79f1711792e575ca0d4b854f51aa47f47de00ff59d77463d106303008172e028ea089898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

Filesize
226B

MD5
09ee63e2de2b3ee3523669afea891fec

SHA1
7e1dee969f2189620e2693fcc78481b542c0d01a

SHA256
d61f83ed318be3edc73ad9e13fd685ca5056854fd2c7d2fba0817398ab39f1a8

SHA512
35154c8e4e545b534fe81724d0d099ad466c625bb4bdfb4549ce0a90ce6c6f08bb325aca44c6a7fff00bb6ff12c897465198fefc292d8495c74ab80515f49cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
226B

MD5
df027758aa55f73bd0155017506382cb

SHA1
1dd81b8fc0c7e4cf860ae47714e7a6dee1c01395

SHA256
ab351b78862548534079582161c1a3316ee00049f37fd16a93ba07f7ff151c28

SHA512
bfdfac8ee4664d64806f2e90bd5b6aabae1721afa40d2a2345cea1ff244d971194334d1319cb34522e413b9258db46db98f3e9b3676de94e7649e5c04492db3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
226B

MD5
df3ee0fffd72a2aa98af062f51b72877

SHA1
785d39d06ba6e217d55103da27a53bd18aefd742

SHA256
dea978f179a13193b8268c929cf3878c915904b03f2aa19b2f4dcf39cc59229b

SHA512
db7240816b93576d63c1f66fbd8e75ede60acff73b8b549f33f56d6266fa2732f8b8271b5d9e8251c9533bccc23cd92576e705b1e2d512a0b32a48fd8fa4a705

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
226B

MD5
3284665c4b2aef4e4c2ffba7981849ce

SHA1
3baf3185fe661b57d670dac2c490141d50b96d9c

SHA256
119f8de1516a5103dd54506ea8616290a9dcf78020ace9a9fa9079dd1007ffd7

SHA512
32abc0dcc3d1898a3d251cdad9ad7b00aaa49818d60b5d6271b554ec92f74c0441d4f2f8b8b539b836d6fcd97c0474c695644dfdd187f0628e7b8b23ca37a38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
226B

MD5
1c125ed79b6af8e31d77ab263958fa2a

SHA1
a81eb16cecbab5ad8aaf54e8caf4f11d0872bed8

SHA256
1fc75a76eeb057b01251c686a29c92c93183b1c41973a959432ccb77a0401e7a

SHA512
89c020d03eaa1c039afe39870c5e3ef7db5572403267d60e2050bd49ab9e860b8cb5cc8611495b7b6744d974d60a3837860c02c08f2d38df7650109178ff5ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
226B

MD5
24a9fdfa20daa7a418f74e0b22dd4e08

SHA1
c94b6765af69fa4a8bdbe8b960d5ffdf6b864528

SHA256
5712aabb928ce923db04196ab0d05db280874cd2cd5a309ed434ccd6c40caab5

SHA512
367760fc0dba19f35b4b3312fb008636cd0d8521efe546667fd35b094abefdc3a133ea132c66f3144e8968ad0e64a2832a14ba9940e64b418202f884df726789

Download Submit
C:\blockdriverintoRefdhcp\IJdp5Y1jjSlcQsS9.bat

Filesize
163B

MD5
d238a0469d580df22f1581e8f0ce7b40

SHA1
b0ce8e65f7a64ec9d103f4b6eb0c2d3e9acbfedf

SHA256
d7b12013be33200d7a4c296f969e3ba2b77ba4f36aecb527fadfab116f9b1106

SHA512
0c19b5923ed41c83f61315fa9e72337cb16bccc4123838d27ac22a51660413fd8b2cf667e1f52cdeda9d45ef0144d6e25c02bc4d6ba9100deadbc4b6a6786596

Download Submit
C:\blockdriverintoRefdhcp\zjUQC6Kcs7ptRMsTAo49SRrfh.vbe

Filesize
215B

MD5
ee3c9a512853fd0790091acea86e5345

SHA1
6f88d7686903cec957dfb5ab3e706d7745ebecdf

SHA256
5457d4c6ab53c891a0a491d709bbe1642f93814804fbc5c91a825169fc80b6a3

SHA512
c114b445d1efa5f69d2bc5817dd48fe1502066c64291bcca3b06f38cb98dc6b36cba8ef9a2c4aa3ebb4de030545423cd46134b0707130e3df3c1d9ed32cced0d

Download Submit
\blockdriverintoRefdhcp\componentMonitornet.exe

Filesize
827KB

MD5
d839c7258cac4c0c3523ba7e0e0e9ba2

SHA1
78741a8c38f20cf7ea60f4cccaef9cef2266aa24

SHA256
e6f5ab7719b96b1b7e01433debb22d0f399d93839935fce599ea44f30487f6b2

SHA512
826e6d76712477862975dbafa6755d7538b28bff742bc1c918898a6efac152d209e732b381cdddef819df27a6aa9e4ed882b969dec2b8c40517803ecf91cd14f

Download Submit
memory/376-113-0x00000000011C0000-0x0000000001296000-memory.dmp

Filesize
856KB

Download
memory/1496-74-0x00000000001A0000-0x0000000000276000-memory.dmp

Filesize
856KB

Download
memory/1888-106-0x0000000000050000-0x0000000000126000-memory.dmp

Filesize
856KB

Download
memory/2328-55-0x0000000001360000-0x0000000001436000-memory.dmp

Filesize
856KB

Download
memory/2860-13-0x0000000000AC0000-0x0000000000B96000-memory.dmp

Filesize
856KB

Download
memory/2944-81-0x0000000001060000-0x0000000001136000-memory.dmp

Filesize
856KB

Download