dcrat | f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Size

1.1MB
MD5

007c92b8ad2188efb216f2699a386238
SHA1

c780a61bde93f59fa404ed217707f99e86f0c1fd
SHA256

f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc
SHA512

df65a0fb78ec1453921c8861f73d6dc8379797646d6aa66b7d20ea06bf7688fe4f009d720565c5075724a0da0d657b2bcdc5c4c0717e9ffcabf3d54123ce9e3b
SSDEEP

24576:U2G/nvxW3Ww0tSUtIrZBMreAydD8FVgMjt2:UbA30SaIrfAUD8rM

Score

10^/10

dcrat defense_evasion discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3948	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3948	schtasks.exe	94

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023c1e-11.dat	dcrat
behavioral2/memory/1104-13-0x0000000000190000-0x0000000000266000-memory.dmp	dcrat

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	componentMonitornet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 14 IoCs

pid	Process
1104	componentMonitornet.exe
2908	fontdrvhost.exe
844	fontdrvhost.exe
3008	fontdrvhost.exe
2796	fontdrvhost.exe
4500	fontdrvhost.exe
4896	fontdrvhost.exe
3644	fontdrvhost.exe
1180	fontdrvhost.exe
4696	fontdrvhost.exe
2384	fontdrvhost.exe
3804	fontdrvhost.exe
2032	fontdrvhost.exe
2820	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
45	pastebin.com
50	pastebin.com
57	pastebin.com
62	pastebin.com
56	pastebin.com
78	pastebin.com
30	pastebin.com
75	pastebin.com
77	pastebin.com
29	pastebin.com
33	pastebin.com
46	pastebin.com
58	pastebin.com
76	pastebin.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe	componentMonitornet.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\088424020bedd6	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\componentMonitornet.exe	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\916e94728f1a0c	componentMonitornet.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\6ccacd8608530f	componentMonitornet.exe
File created	C:\Windows\SchCache\spoolsv.exe	componentMonitornet.exe
File created	C:\Windows\SchCache\f3b6ecef712a24	componentMonitornet.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\conhost.exe	componentMonitornet.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\088424020bedd6	componentMonitornet.exe
File created	C:\Windows\ModemLogs\Idle.exe	componentMonitornet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	componentMonitornet.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	fontdrvhost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2232	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
4620	schtasks.exe
1732	schtasks.exe
4836	schtasks.exe
1056	schtasks.exe
4964	schtasks.exe
2344	schtasks.exe
3320	schtasks.exe
224	schtasks.exe
4440	schtasks.exe
3848	schtasks.exe
1660	schtasks.exe
2052	schtasks.exe
3600	schtasks.exe
3656	schtasks.exe
976	schtasks.exe
1280	schtasks.exe
4264	schtasks.exe
4476	schtasks.exe
2672	schtasks.exe
2060	schtasks.exe
2540	schtasks.exe
1248	schtasks.exe
4208	schtasks.exe
3264	schtasks.exe
3120	schtasks.exe
4984	schtasks.exe
3836	schtasks.exe
3548	schtasks.exe
4316	schtasks.exe
3576	schtasks.exe
4328	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
1104	componentMonitornet.exe
2908	fontdrvhost.exe
844	fontdrvhost.exe
3008	fontdrvhost.exe
2796	fontdrvhost.exe
4500	fontdrvhost.exe
4896	fontdrvhost.exe
3644	fontdrvhost.exe
1180	fontdrvhost.exe
4696	fontdrvhost.exe
2384	fontdrvhost.exe
3804	fontdrvhost.exe
2032	fontdrvhost.exe
2820	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	componentMonitornet.exe
Token: SeDebugPrivilege	2908	fontdrvhost.exe
Token: SeDebugPrivilege	844	fontdrvhost.exe
Token: SeDebugPrivilege	3008	fontdrvhost.exe
Token: SeDebugPrivilege	2796	fontdrvhost.exe
Token: SeDebugPrivilege	4500	fontdrvhost.exe
Token: SeDebugPrivilege	4896	fontdrvhost.exe
Token: SeDebugPrivilege	3644	fontdrvhost.exe
Token: SeDebugPrivilege	1180	fontdrvhost.exe
Token: SeDebugPrivilege	4696	fontdrvhost.exe
Token: SeDebugPrivilege	2384	fontdrvhost.exe
Token: SeDebugPrivilege	3804	fontdrvhost.exe
Token: SeDebugPrivilege	2032	fontdrvhost.exe
Token: SeDebugPrivilege	2820	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 3680	1588	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe	85
PID 1588 wrote to memory of 3680	1588	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe	85
PID 1588 wrote to memory of 3680	1588	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe	85
PID 3680 wrote to memory of 3692	3680	WScript.exe	95
PID 3680 wrote to memory of 3692	3680	WScript.exe	95
PID 3680 wrote to memory of 3692	3680	WScript.exe	95
PID 3692 wrote to memory of 1104	3692	cmd.exe	97
PID 3692 wrote to memory of 1104	3692	cmd.exe	97
PID 1104 wrote to memory of 1680	1104	componentMonitornet.exe	131
PID 1104 wrote to memory of 1680	1104	componentMonitornet.exe	131
PID 3692 wrote to memory of 2232	3692	cmd.exe	133
PID 3692 wrote to memory of 2232	3692	cmd.exe	133
PID 3692 wrote to memory of 2232	3692	cmd.exe	133
PID 1680 wrote to memory of 2992	1680	cmd.exe	134
PID 1680 wrote to memory of 2992	1680	cmd.exe	134
PID 1680 wrote to memory of 2908	1680	cmd.exe	137
PID 1680 wrote to memory of 2908	1680	cmd.exe	137
PID 2908 wrote to memory of 2856	2908	fontdrvhost.exe	139
PID 2908 wrote to memory of 2856	2908	fontdrvhost.exe	139
PID 2856 wrote to memory of 512	2856	cmd.exe	141
PID 2856 wrote to memory of 512	2856	cmd.exe	141
PID 2856 wrote to memory of 844	2856	cmd.exe	142
PID 2856 wrote to memory of 844	2856	cmd.exe	142
PID 844 wrote to memory of 3576	844	fontdrvhost.exe	143
PID 844 wrote to memory of 3576	844	fontdrvhost.exe	143
PID 3576 wrote to memory of 4604	3576	cmd.exe	145
PID 3576 wrote to memory of 4604	3576	cmd.exe	145
PID 3576 wrote to memory of 3008	3576	cmd.exe	147
PID 3576 wrote to memory of 3008	3576	cmd.exe	147
PID 3008 wrote to memory of 2392	3008	fontdrvhost.exe	150
PID 3008 wrote to memory of 2392	3008	fontdrvhost.exe	150
PID 2392 wrote to memory of 4288	2392	cmd.exe	152
PID 2392 wrote to memory of 4288	2392	cmd.exe	152
PID 2392 wrote to memory of 2796	2392	cmd.exe	153
PID 2392 wrote to memory of 2796	2392	cmd.exe	153
PID 2796 wrote to memory of 2232	2796	fontdrvhost.exe	154
PID 2796 wrote to memory of 2232	2796	fontdrvhost.exe	154
PID 2232 wrote to memory of 4072	2232	cmd.exe	156
PID 2232 wrote to memory of 4072	2232	cmd.exe	156
PID 2232 wrote to memory of 4500	2232	cmd.exe	157
PID 2232 wrote to memory of 4500	2232	cmd.exe	157
PID 4500 wrote to memory of 3088	4500	fontdrvhost.exe	158
PID 4500 wrote to memory of 3088	4500	fontdrvhost.exe	158
PID 3088 wrote to memory of 5056	3088	cmd.exe	160
PID 3088 wrote to memory of 5056	3088	cmd.exe	160
PID 3088 wrote to memory of 4896	3088	cmd.exe	162
PID 3088 wrote to memory of 4896	3088	cmd.exe	162
PID 4896 wrote to memory of 3672	4896	fontdrvhost.exe	163
PID 4896 wrote to memory of 3672	4896	fontdrvhost.exe	163
PID 3672 wrote to memory of 3436	3672	cmd.exe	165
PID 3672 wrote to memory of 3436	3672	cmd.exe	165
PID 3672 wrote to memory of 3644	3672	cmd.exe	166
PID 3672 wrote to memory of 3644	3672	cmd.exe	166
PID 3644 wrote to memory of 3320	3644	fontdrvhost.exe	167
PID 3644 wrote to memory of 3320	3644	fontdrvhost.exe	167
PID 3320 wrote to memory of 1700	3320	cmd.exe	169
PID 3320 wrote to memory of 1700	3320	cmd.exe	169
PID 3320 wrote to memory of 1180	3320	cmd.exe	170
PID 3320 wrote to memory of 1180	3320	cmd.exe	170
PID 1180 wrote to memory of 2944	1180	fontdrvhost.exe	171
PID 1180 wrote to memory of 2944	1180	fontdrvhost.exe	171
PID 2944 wrote to memory of 1960	2944	cmd.exe	173
PID 2944 wrote to memory of 1960	2944	cmd.exe	173
PID 2944 wrote to memory of 4696	2944	cmd.exe	174

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
"C:\Users\Admin\AppData\Local\Temp\f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockdriverintoRefdhcp\zjUQC6Kcs7ptRMsTAo49SRrfh.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockdriverintoRefdhcp\IJdp5Y1jjSlcQsS9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\blockdriverintoRefdhcp\componentMonitornet.exe
      "C:\blockdriverintoRefdhcp\componentMonitornet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8sUPMce1Mj.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2992
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:512
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4604
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4288
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4072
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5056
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3436
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1700
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1960
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        23⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:536
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        25⤵
        
        PID:4908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3436
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        27⤵
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4604
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        29⤵
        
        PID:4628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1936
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        31⤵
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\blockdriverintoRefdhcp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\blockdriverintoRefdhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentMonitornetc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\componentMonitornet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentMonitornet" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\componentMonitornet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentMonitornetc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\componentMonitornet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\blockdriverintoRefdhcp\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\blockdriverintoRefdhcp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
202B

MD5
eb10862fe8108fbb1d3d914d2dd4f94e

SHA1
dc900fa756f0f3c2aee241e556a7ae1348cc499b

SHA256
3a8d9ccf0221180e078f8250c8c6159c86723e8eecbd0d2940543bc716f8f1d8

SHA512
16f307aea5b2a83836f84c07f9ee93e25112861bf891114d5e65a367c7936ad4164c7060f87fd55819f81e46215ffaed79270006a91451dd20112ed5624a2bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
202B

MD5
892fe78a1812f8a881166b29a29e3874

SHA1
75abe74c4defcdf7f8442929e976ca94111b8f0f

SHA256
7e469f4c97e0a8e4ef955f2fe076dc867b46caaee7d7a25ff973d972c4b68be3

SHA512
f9766cc53ec5b17f1b58d4e0d4d79b21c9d95e52e72fe5ded37a15f47d140ecd2ed7a1d3b3399451091af7bddcb50426a4eb9dd3d92756e08381788655ed7c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8sUPMce1Mj.bat

Filesize
202B

MD5
3e707ce2b005ffaae2a427c96e92be16

SHA1
1bbcbfb4166d8c74063f03ddac07f076201400f3

SHA256
2067185f302c262fd015bbd06006dc20ec5520d48d7510d547dc664e3e9813b9

SHA512
15d7861bcb35c61dbc68f56a0265841936bd26e98a5e80612c740f01495c3b627bc3e606ef49f94a3e53d07442955420d1798ce8d3bd6e602575783bae5dac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
202B

MD5
076a5797a2e776e8117ef10ca2300d4c

SHA1
9e0cabe6b791df25dafac1628b7759439142b629

SHA256
d73b76896ae7823420a7dd9c798119b6b13e3607a03fdd989da3719039825d98

SHA512
2080d08479772d91cb2b080da16e624aba474cc35b9b70d7876e4efd9c1dbdaf54592a38f22336c46a9b2267e824c01010c71b076c95876732d0e0b5b93f3aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
202B

MD5
9d88642257938c9a720e5cc745cbddfb

SHA1
327246237b58c536f405b0243cde8c82c0e302e2

SHA256
42d116afa5b013a2ed13d8304d233629dd7d6be6a4500e61f450dbc1ad39107a

SHA512
eae4f824bd50df9cde0354454e1f1a4748c43838739fdfc95d917d49c3945b0239b98fb51b08ed1f4f4ca44fde9d9768513f14f6f54a42a5cc1263a71a2b8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
202B

MD5
07bd971fa1f1d996cf1a33d290e72103

SHA1
07e1580d144c5927cd8f0fa91049075ffb2e92fd

SHA256
3073a5c180e615ed405af1856937cfc505866ae5529ba5b4d11015f98330c168

SHA512
de9a4bff91235a32bd5c4d2527535a17a01a19ea4d05d550fcfafea340ca1e459956637bb4fcef0707b492e6d6307793d8927d47c3345662dc203fec8d7dad66

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

Filesize
202B

MD5
b63760b1830d0f63615800ba04b935b6

SHA1
ba68fd8e52505ca3f41efb1e024a58b40f4ed450

SHA256
3a50d253f701f65d47069e1758c06f7f14a71cca737d68851774bbd2e81c89ad

SHA512
93919ab834544679eecb0d5ca511ad3d7a75769e9dc483c86c71955c96a7ada66d01eb9992a34a43273918b18ccaf66c98bc6ede724a215215e7c6d0c6dd443e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
202B

MD5
7c40710837e6ef967eb4773c432aadad

SHA1
7c59405cda46d916a83e93df0893d40755262fc0

SHA256
508bbafc97bbf18738d929542186b34ed443369527f6362dbf1802c66d5209e5

SHA512
6a8016528d78f41f5894ad3924aa46544a86e50e269e26430892e523cc44f16ebc9eef91baeeae4ea649d8383aff01c2d0da4b060f63a9e800b48a7a826d9e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
202B

MD5
5f2093da13fef1613fbd5f9987f97944

SHA1
2bc08e31143f15224f2810b8e9a4b82d1876fd85

SHA256
53114227bf419e2fbacba5c38af9e4537823bd6373db9d58c679e11e7a9a380e

SHA512
ff3e370e415c5598fa1434603c9dd291aafb282d165f2d2f77c11b9af1f9cbcaaf06ad30f6d6f41552b531cfee4dfb2701ea3e4c023add2d9610324082ea7817

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
202B

MD5
2a2103ec638e7f8a087dc9e7a647a543

SHA1
b9bf37bf4e5db249e6583891d166a44d24dc0ef2

SHA256
0639ae6f945928a6b1208a6edd145968a35b398794fe39604018722d469b71cf

SHA512
73236f215f84a22b24596cf75041c2ed78e25f7b202fd6bf0538feaba4343c114308e5a993b7e64a7a803caed2ea44c269e49fe033e303c8cba36d390336ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
202B

MD5
7466f8669015f508163f9c847b7e3e0f

SHA1
fc11a347e0aae941d2a71a86001452b911c42f1e

SHA256
a2970ddd235c9de74ae41e8d87b4c1dcf5a6978fea52c94b3743e8ad85dc09b0

SHA512
efa173576b88aeb724d5dc54b8a8540f289b76e77086783713b255486abc56cc482d86cfe9d4e5b8f6d01408e7c257491d3304ce11470ba691faac84edffc442

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
202B

MD5
ce6746b7e18ed4267c3645f2471e46e7

SHA1
dcc14543fecc5a4a7197e77058bcda45dd382131

SHA256
4096d8b00da3cea934b5d46404d140a814f81963c5883f9bc6b23a779a71b080

SHA512
5406bc599e671bd5f7365fbce50c8597376f193be8358d4dc3434155880da604fad8144334164700a79cba5e00791696cba9e1eadf386c808977f1cf8be2cbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
202B

MD5
65c8cebc9965f383bf13f2486f5e24e4

SHA1
c8daa1485df4fdff864a57ef3665f706c946fde7

SHA256
6ceba972a6074dbadf095a0b5a0cbb272956b48119c017da734343a69cab3924

SHA512
6421407ffca233e3fb0c9642579ede33ab52a26f144366b1725f90505cc7306d02fbdb4d346d5be048196eed570f79738e1b6b5b88a1c887a58593747ee13f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
202B

MD5
04bacf7f241dda8d783d8e3d1c360022

SHA1
567a2676bac09d7f599e8914b687c6b0ad0d8e61

SHA256
c0ac057bbf46d6fddb441b281eda09a67742b101c4bce6e6cf93c75759b58270

SHA512
8180e3e81b7b37b1eb399094fad355dc0794c5a37fcddc132df4e6ea7acd4c1f6e7ddb1ae69fb1341e91b7042d1c17426e6cef1428d18e68828f194840e5e8eb

Download Submit
C:\blockdriverintoRefdhcp\IJdp5Y1jjSlcQsS9.bat

Filesize
163B

MD5
d238a0469d580df22f1581e8f0ce7b40

SHA1
b0ce8e65f7a64ec9d103f4b6eb0c2d3e9acbfedf

SHA256
d7b12013be33200d7a4c296f969e3ba2b77ba4f36aecb527fadfab116f9b1106

SHA512
0c19b5923ed41c83f61315fa9e72337cb16bccc4123838d27ac22a51660413fd8b2cf667e1f52cdeda9d45ef0144d6e25c02bc4d6ba9100deadbc4b6a6786596

Download Submit
C:\blockdriverintoRefdhcp\componentMonitornet.exe

Filesize
827KB

MD5
d839c7258cac4c0c3523ba7e0e0e9ba2

SHA1
78741a8c38f20cf7ea60f4cccaef9cef2266aa24

SHA256
e6f5ab7719b96b1b7e01433debb22d0f399d93839935fce599ea44f30487f6b2

SHA512
826e6d76712477862975dbafa6755d7538b28bff742bc1c918898a6efac152d209e732b381cdddef819df27a6aa9e4ed882b969dec2b8c40517803ecf91cd14f

Download Submit
C:\blockdriverintoRefdhcp\zjUQC6Kcs7ptRMsTAo49SRrfh.vbe

Filesize
215B

MD5
ee3c9a512853fd0790091acea86e5345

SHA1
6f88d7686903cec957dfb5ab3e706d7745ebecdf

SHA256
5457d4c6ab53c891a0a491d709bbe1642f93814804fbc5c91a825169fc80b6a3

SHA512
c114b445d1efa5f69d2bc5817dd48fe1502066c64291bcca3b06f38cb98dc6b36cba8ef9a2c4aa3ebb4de030545423cd46134b0707130e3df3c1d9ed32cced0d

Download Submit
memory/1104-13-0x0000000000190000-0x0000000000266000-memory.dmp

Filesize
856KB

Download
memory/1104-12-0x00007FF91A723000-0x00007FF91A725000-memory.dmp

Filesize
8KB

Download