9fc8c881c65e76927632323529b5186fb552d22fa4b52b6ac82165728aa02f9f

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeverLoseLoader.exe
Size

2.8MB
MD5

a35bacaf176f367bd51ed22782dc5519
SHA1

99fdd147469d0392fc2a8fcc714206a70c3961db
SHA256

9fc8c881c65e76927632323529b5186fb552d22fa4b52b6ac82165728aa02f9f
SHA512

b33b4452cccd762eead94b90244e2aaefa9f5fcca45dba761d5e28a28a2bbc3ef201b2e1f187df6e66949fb501f1edb31f7d9634dfa7dd17bb7050142a31b51a
SSDEEP

49152:tBUnRxbHAr0MmN6vm2H0MvnoxhRb4q3WO/PVdxfgz6:n2RxbHyfH0MvnonRbZ5Vd5o6

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\", \"C:\\agentsavesSessioncrt\\WmiPrvSE.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\conhost.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\", \"C:\\agentsavesSessioncrt\\WmiPrvSE.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\conhost.exe\", \"C:\\agentsavesSessioncrt\\hyperBlockServerSavesSession.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\explorer.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\", \"C:\\agentsavesSessioncrt\\WmiPrvSE.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\", \"C:\\agentsavesSessioncrt\\WmiPrvSE.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\Idle.exe\""	hyperBlockServerSavesSession.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	3052	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3052	schtasks.exe	33

Executes dropped EXE 10 IoCs

pid	Process
2736	hyperBlockServerSavesSession.exe
2552	conhost.exe
2572	conhost.exe
1704	conhost.exe
2940	conhost.exe
1060	conhost.exe
1180	conhost.exe
2924	conhost.exe
2216	conhost.exe
2976	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\Idle.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\conhost.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\conhost.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\agentsavesSessioncrt\\explorer.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\agentsavesSessioncrt\\explorer.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\agentsavesSessioncrt\\WmiPrvSE.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperBlockServerSavesSession = "\"C:\\agentsavesSessioncrt\\hyperBlockServerSavesSession.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\lsm.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\agentsavesSessioncrt\\WmiPrvSE.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\Idle.exe\""	hyperBlockServerSavesSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperBlockServerSavesSession = "\"C:\\agentsavesSessioncrt\\hyperBlockServerSavesSession.exe\""	hyperBlockServerSavesSession.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\thgklq.exe	csc.exe
File created	\??\c:\Windows\System32\CSC75AC2062187C4CB3BC122B7BEB174F5.TMP	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	hyperBlockServerSavesSession.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	hyperBlockServerSavesSession.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe	hyperBlockServerSavesSession.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\101b941d020240	hyperBlockServerSavesSession.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	hyperBlockServerSavesSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeverLoseLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3036	PING.EXE
2784	PING.EXE
860	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3036	PING.EXE
2784	PING.EXE
860	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2236	schtasks.exe
2728	schtasks.exe
2080	schtasks.exe
1552	schtasks.exe
2672	schtasks.exe
2284	schtasks.exe
3068	schtasks.exe
2700	schtasks.exe
1196	schtasks.exe
2092	schtasks.exe
940	schtasks.exe
2344	schtasks.exe
1920	schtasks.exe
1152	schtasks.exe
1100	schtasks.exe
1620	schtasks.exe
1984	schtasks.exe
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe
2736	hyperBlockServerSavesSession.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	hyperBlockServerSavesSession.exe
Token: SeDebugPrivilege	2552	conhost.exe
Token: SeDebugPrivilege	2572	conhost.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	2940	conhost.exe
Token: SeDebugPrivilege	1060	conhost.exe
Token: SeDebugPrivilege	1180	conhost.exe
Token: SeDebugPrivilege	2924	conhost.exe
Token: SeDebugPrivilege	2216	conhost.exe
Token: SeDebugPrivilege	2976	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2356	2488	NeverLoseLoader.exe	29
PID 2488 wrote to memory of 2356	2488	NeverLoseLoader.exe	29
PID 2488 wrote to memory of 2356	2488	NeverLoseLoader.exe	29
PID 2488 wrote to memory of 2356	2488	NeverLoseLoader.exe	29
PID 2356 wrote to memory of 2896	2356	WScript.exe	30
PID 2356 wrote to memory of 2896	2356	WScript.exe	30
PID 2356 wrote to memory of 2896	2356	WScript.exe	30
PID 2356 wrote to memory of 2896	2356	WScript.exe	30
PID 2896 wrote to memory of 2736	2896	cmd.exe	32
PID 2896 wrote to memory of 2736	2896	cmd.exe	32
PID 2896 wrote to memory of 2736	2896	cmd.exe	32
PID 2896 wrote to memory of 2736	2896	cmd.exe	32
PID 2736 wrote to memory of 1116	2736	hyperBlockServerSavesSession.exe	37
PID 2736 wrote to memory of 1116	2736	hyperBlockServerSavesSession.exe	37
PID 2736 wrote to memory of 1116	2736	hyperBlockServerSavesSession.exe	37
PID 1116 wrote to memory of 2524	1116	csc.exe	39
PID 1116 wrote to memory of 2524	1116	csc.exe	39
PID 1116 wrote to memory of 2524	1116	csc.exe	39
PID 2736 wrote to memory of 2540	2736	hyperBlockServerSavesSession.exe	55
PID 2736 wrote to memory of 2540	2736	hyperBlockServerSavesSession.exe	55
PID 2736 wrote to memory of 2540	2736	hyperBlockServerSavesSession.exe	55
PID 2540 wrote to memory of 1680	2540	cmd.exe	57
PID 2540 wrote to memory of 1680	2540	cmd.exe	57
PID 2540 wrote to memory of 1680	2540	cmd.exe	57
PID 2540 wrote to memory of 2216	2540	cmd.exe	58
PID 2540 wrote to memory of 2216	2540	cmd.exe	58
PID 2540 wrote to memory of 2216	2540	cmd.exe	58
PID 2540 wrote to memory of 2552	2540	cmd.exe	59
PID 2540 wrote to memory of 2552	2540	cmd.exe	59
PID 2540 wrote to memory of 2552	2540	cmd.exe	59
PID 2552 wrote to memory of 1004	2552	conhost.exe	60
PID 2552 wrote to memory of 1004	2552	conhost.exe	60
PID 2552 wrote to memory of 1004	2552	conhost.exe	60
PID 1004 wrote to memory of 3020	1004	cmd.exe	62
PID 1004 wrote to memory of 3020	1004	cmd.exe	62
PID 1004 wrote to memory of 3020	1004	cmd.exe	62
PID 1004 wrote to memory of 1940	1004	cmd.exe	63
PID 1004 wrote to memory of 1940	1004	cmd.exe	63
PID 1004 wrote to memory of 1940	1004	cmd.exe	63
PID 1004 wrote to memory of 2572	1004	cmd.exe	64
PID 1004 wrote to memory of 2572	1004	cmd.exe	64
PID 1004 wrote to memory of 2572	1004	cmd.exe	64
PID 2572 wrote to memory of 2096	2572	conhost.exe	65
PID 2572 wrote to memory of 2096	2572	conhost.exe	65
PID 2572 wrote to memory of 2096	2572	conhost.exe	65
PID 2096 wrote to memory of 1516	2096	cmd.exe	67
PID 2096 wrote to memory of 1516	2096	cmd.exe	67
PID 2096 wrote to memory of 1516	2096	cmd.exe	67
PID 2096 wrote to memory of 3036	2096	cmd.exe	68
PID 2096 wrote to memory of 3036	2096	cmd.exe	68
PID 2096 wrote to memory of 3036	2096	cmd.exe	68
PID 2096 wrote to memory of 1704	2096	cmd.exe	69
PID 2096 wrote to memory of 1704	2096	cmd.exe	69
PID 2096 wrote to memory of 1704	2096	cmd.exe	69
PID 1704 wrote to memory of 2868	1704	conhost.exe	70
PID 1704 wrote to memory of 2868	1704	conhost.exe	70
PID 1704 wrote to memory of 2868	1704	conhost.exe	70
PID 2868 wrote to memory of 2356	2868	cmd.exe	72
PID 2868 wrote to memory of 2356	2868	cmd.exe	72
PID 2868 wrote to memory of 2356	2868	cmd.exe	72
PID 2868 wrote to memory of 2784	2868	cmd.exe	73
PID 2868 wrote to memory of 2784	2868	cmd.exe	73
PID 2868 wrote to memory of 2784	2868	cmd.exe	73
PID 2868 wrote to memory of 2940	2868	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NeverLoseLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NeverLoseLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe
      "C:\agentsavesSessioncrt/hyperBlockServerSavesSession.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqrkuhht\aqrkuhht.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES673B.tmp" "c:\Windows\System32\CSC75AC2062187C4CB3BC122B7BEB174F5.TMP"
        6⤵
        
        PID:2524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fCG2gOe89n.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1680
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2216
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1940
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QrE9yw7ggl.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LqM2MqbNda.bat"
        13⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1496
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2BGdjLelXV.bat"
        15⤵
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2260
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B35ds8t0En.bat"
        17⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2720
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HaE3Dx3E3n.bat"
        19⤵
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2360
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6L2ySswQ0j.bat"
        21⤵
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2420
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g3J0tdP0ue.bat"
        23⤵
        
        PID:1192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\agentsavesSessioncrt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\agentsavesSessioncrt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\agentsavesSessioncrt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\agentsavesSessioncrt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\agentsavesSessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\agentsavesSessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBlockServerSavesSessionh" /sc MINUTE /mo 13 /tr "'C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBlockServerSavesSession" /sc ONLOGON /tr "'C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBlockServerSavesSessionh" /sc MINUTE /mo 9 /tr "'C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat

Filesize
243B

MD5
fea5fdb70e300138e7a59a4fbcb79135

SHA1
80f2c396e30be575c6c47c194fd1aec0ecd6a122

SHA256
d552df852673d75d54c7bc877a1185a7d589258146bae187bbc26a67c5d22275

SHA512
1a09a9c84d3d8b8f2fc71429478e08090da6d1f2fb2f34a02edc2bd6904f7fc109de4061399eff118833708498845493d3a8e329370b570da430ec73c214b3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BGdjLelXV.bat

Filesize
243B

MD5
5d5d101b23979e2b5114d9caa3e642ca

SHA1
0e63cab108192a7b75abe7011eecc78882c1f17d

SHA256
1451261466289ddb12c3fca485304d39246091b4c4ed665b6c87dbda75f56249

SHA512
ba01320d707b6dfad5f4d0fde7a5d50e407d610e1da5a8eaa5bb1555e2782523982ae45055aeaf2749f0cdc2b648b79f337487a6e3edf62f3ce6b7017e1e813d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6L2ySswQ0j.bat

Filesize
243B

MD5
2c17373faceb3bb22d9581b93f0a101b

SHA1
40c3c5f1a6309b4071a0da0c434bccb4da5bcacc

SHA256
4bb061ca7426ac4efb2e850077785695c138f39dbdeb4b8413225cc8c0e37ff2

SHA512
f9dff7cbf76f7f80eaf37573ce4f86e45e59845e248899947b206de084b551908b23694a2f3d6be4fa8a888a266fe54d6ad56a439e73fec988872b977865f1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B35ds8t0En.bat

Filesize
243B

MD5
1e7b3b59547559d4f049f08f491053bd

SHA1
1edd642a5bf3aee344acdc0a8cf83b006633cca8

SHA256
7dedd1a65ff73cb2bee1002272bd4d5ad7d8afb5420fef708ec563f919879198

SHA512
9e9549346ece0b2f592801d23ed48fa4a8d18b62dfddb7a7f720faa8f72aaf82713e7d12da004dfd896c22857bfed0ee23e9fbee7bccb79a89f0798dd97ec1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaE3Dx3E3n.bat

Filesize
243B

MD5
b3dd7471cc7b07a4a2497db6d5dd1585

SHA1
c1f9a99ec045ce56fa1413ea71e6dfd776215273

SHA256
a500fc6fb27f7b98d00995723aa591b8efe2e348e544d996f44a5ee2ac277e72

SHA512
bf66cd86ce3d2a1e50357820634eb73d5e8b3a82c040ac38ed0766715e1fc4730e7050e447ad8bbc0923969f5018f8a41f986cf812ba5618026c0f0cf392ec78

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqM2MqbNda.bat

Filesize
243B

MD5
d79dbdbaaa9c3f9c643b868505feccc7

SHA1
326a77e04c3e6c9266e04140c7d08dd28b9c1d6f

SHA256
9a8427ae6b1baa967d02f22d7f66bffa62902327d4682142879f29f021508098

SHA512
ee5df5d4491b5be8bd8e4c6b8e6c0d052fc780bfce85e27b8a5e3c551517e9eea8fe2459137e88afd7d148888220947ffa69f17aeaf84f32a3d1951ea0a48dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QrE9yw7ggl.bat

Filesize
195B

MD5
81155eaacb5e27704b4f879d13672084

SHA1
710485efd41d77ad162d306d030170a631e19bd1

SHA256
b0b2382eb659129f9c31c9523b557bd5f54184d32841996bcee177cfaa5414b7

SHA512
b096aacdd3142b7996ba92ea833acdda1a3efee5b36ad187e7cb99cc91c4e1b2d91f651649bc7a2bd7078bc9b90a1a33c377bcb422897ab5f559be0c07e1328b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES673B.tmp

Filesize
1KB

MD5
dce4eb0fa43173a744a953d53cc8bb95

SHA1
25e79e5782831becd3b7470497b27d76e984781c

SHA256
0ac31f0482a91a9217881173cb23eaab4b037556a4205d9ffb6f2f651013fc6c

SHA512
405512f173841409adf2b0f04102532c862138b9ae4d9c0256d7ed2ede0075be604a36cc3bf4d31047763457c5b948c50a750e3a9291bf36339f1e3309330dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fCG2gOe89n.bat

Filesize
243B

MD5
ce4b315c5d421b074213e83780cac060

SHA1
b5856b27517e158f93a88c9e3cf216b36407cdc8

SHA256
dcd2914faef8d6f3a4f2ddf8c3beb01a2519b3075b64a81a21ee5a1f2ead0bfa

SHA512
05765ef939c5b2d204d2bb25d3d4757ef212f09bb2244b772c8b6e37a2cd13b9fbbf4c91f10d410bf360bea80ed2cd72c178a02be320d0e627c887dbeab472af

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3J0tdP0ue.bat

Filesize
195B

MD5
040faa8214c5c7653749221b7ad9d36f

SHA1
b46940225b5b0b936692b1005313d8caa73b00f4

SHA256
3ed4d6cc978e7fa8c791e70be739273e1b5c52315c5de9345b5357f74e2d365b

SHA512
ff9c223696a5b0dbf5aa119d955d16a264bd9bb97bcf8137641aaf76606d776a4e9867c2515f1584b136d3c6bc0081ffb7ffbf6c25e5065315b1b3b45e3cdd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat

Filesize
195B

MD5
b415eb59368f94b9f0a8c6fb26eb7c38

SHA1
8b6a3c8311b250472ca9ba1c4d59f058fcf19aed

SHA256
474e7859793774ec36b7bc3edaef1734c9fc6b58077117f069a76eab18676997

SHA512
b0bf1f76507e6baa658c014977d889476a8fb04b40f7df96132553ea75cb5031e9336301ce9d746035dbb32a81adfaa015f0404001f0909fac822d50c6fec6bf

Download Submit
C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat

Filesize
103B

MD5
ebe4c21126c470353bc85eac1cef774a

SHA1
ee65d9ffab4a9d4781feb71d087a946bd64476cb

SHA256
27dc735359b7b713506b5a2dbacbbdb43d296f0cc4f11f374b59d605ec4f64e0

SHA512
67b2b033fb58cd3df39a1b7741d14729ef092d21c142c0a06611eed6479000ca29595496624b8d2acf43041ef8332e4cb66923d10b9b6a29dc29e9e007885f13

Download Submit
C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe

Filesize
250B

MD5
a0513e519e74038b3105c6da2ab0d334

SHA1
6c5f7f413c19c0f7c2584e706a60d08c27823e36

SHA256
3ed9c9074b5448cb4fdc13904739407317f5e083eda10b4ab6145888ffa12033

SHA512
222c2107dcfc29a0e0a05a5378ac38a564c175868d9a9428de4610cff53b35c16dee575e4d63eb427ad23bcaec7a8649167b4918aaf18e78bf7329a6c2e3b877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqrkuhht\aqrkuhht.0.cs

Filesize
368B

MD5
058925ec0f4fe9dc3d4589ff7685e2ac

SHA1
ebaf3d24db928b69186ac4f45a3a7dfa5190d64b

SHA256
cfba61873e26697abea58d414050155f16e41e15a2acf78bef2ca26b333de6eb

SHA512
881da20d611a5cc1547fa424992314567366cec961eae7e94eb8fa172df0bad394910c716c94702175104d54bd19046a09955c97e8ed495c3e302f454b2820c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqrkuhht\aqrkuhht.cmdline

Filesize
235B

MD5
2a66e3b65098e0215f76802f833364d0

SHA1
9f122f80d42b760d20e91bfb36c181c7b96ce523

SHA256
74008aea7d9c30ca0f2d74c8a6269f4cd50195293f3e332836c9f2cc2a2cde25

SHA512
e675d4a387a4a5d4f79d5fa698f891a14845087fd13e6bc25007b1f10074360953ba8912544eca4fc98839f3bf0d944aff2c17663d2fd1a604b9b85a69eaa8c3

Download Submit
\??\c:\Windows\System32\CSC75AC2062187C4CB3BC122B7BEB174F5.TMP

Filesize
1KB

MD5
af44bc95611e7a0b7c1280a97344df34

SHA1
592e83f33e2b0fab2b41a12d3421dca7041338a6

SHA256
982fb94d04fb364d675e283faf97745b71ff8378f2fc84481415a1b531d233b5

SHA512
1be193014087024fd50757cfd797f2385eaaad8195adfc25a625cc1405496c5b558ff424e39b3282075c6ed53cc118601b6be4c95f980246169961212f3e7165

Download Submit
\agentsavesSessioncrt\hyperBlockServerSavesSession.exe

Filesize
2.3MB

MD5
22a0f7e0137b38061bcea6990ea2b3d8

SHA1
65b9d717a7a53df2bd8c58351510033e771cfd02

SHA256
ad7b5a48b29168ac72ab4d887e21021c3c63d4320de8b0b88ae8d295c98a051e

SHA512
192acb8169f883ece3af2c83eacef49bc6fa465bbe943b3716af785e8bb4bc959fe7e6457b14bb5474adba6fd5f18fc9e30bf2a1a63b5147d0dca5e52681ae25

Download Submit
memory/1060-108-0x00000000002A0000-0x00000000004E8000-memory.dmp

Filesize
2.3MB

Download
memory/1180-121-0x0000000001180000-0x00000000013C8000-memory.dmp

Filesize
2.3MB

Download
memory/2552-56-0x00000000003C0000-0x0000000000608000-memory.dmp

Filesize
2.3MB

Download
memory/2572-69-0x0000000000F80000-0x00000000011C8000-memory.dmp

Filesize
2.3MB

Download
memory/2736-21-0x0000000000F60000-0x0000000000FBA000-memory.dmp

Filesize
360KB

Download
memory/2736-23-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2736-19-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2736-17-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2736-15-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2736-13-0x0000000001290000-0x00000000014D8000-memory.dmp

Filesize
2.3MB

Download
memory/2736-25-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2940-94-0x0000000001070000-0x00000000012B8000-memory.dmp

Filesize
2.3MB

Download
memory/2976-158-0x0000000001190000-0x00000000013D8000-memory.dmp

Filesize
2.3MB

Download