dcrat | 741f406af0d9813380255250f41bb4b5202575b0a95a5405b67520f5840393b1

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-12-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sirius.exe
Size

2.4MB
MD5

e88e9ba128b0f902f05a24fc524b6642
SHA1

aead6538e5762c1dce5aa5a823e6a897395dfab9
SHA256

741f406af0d9813380255250f41bb4b5202575b0a95a5405b67520f5840393b1
SHA512

276a779d33dcd77c6222c98b5cc3fcbd095216213eb77d4d4b898320b0805729561a7f45d279d54bc7abb16f2f816e531e6dbddf3f95401f0f39d9458b4fc942
SSDEEP

24576:zTbBv5rUFz0sjTfN29w3R97qQqGv53D0pOuAw1sNv2pbP6inu0lPP1Y7QzqF:tBeHYiUm53D0mtv2pZFPPqUzs

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\", \"C:\\ChainBlockportcomnet\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\smss.exe\", \"C:\\ChainBlockportcomnet\\lsass.exe\", \"C:\\Windows\\AppReadiness\\unsecapp.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\", \"C:\\ChainBlockportcomnet\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\smss.exe\", \"C:\\ChainBlockportcomnet\\lsass.exe\", \"C:\\Windows\\AppReadiness\\unsecapp.exe\", \"C:\\ChainBlockportcomnet\\HyperFontReview.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\", \"C:\\ChainBlockportcomnet\\services.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\", \"C:\\ChainBlockportcomnet\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\smss.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\", \"C:\\ChainBlockportcomnet\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\smss.exe\", \"C:\\ChainBlockportcomnet\\lsass.exe\""	HyperFontReview.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	784	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	784	schtasks.exe	81

Executes dropped EXE 15 IoCs

pid	Process
4360	HyperFontReview.exe
2644	services.exe
5072	services.exe
2496	services.exe
2768	services.exe
2144	services.exe
1160	services.exe
1872	services.exe
4552	services.exe
4448	services.exe
1536	services.exe
3372	services.exe
3960	services.exe
5076	services.exe
5080	services.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ChainBlockportcomnet\\services.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\smss.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ChainBlockportcomnet\\lsass.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ChainBlockportcomnet\\lsass.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\AppReadiness\\unsecapp.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\AppReadiness\\unsecapp.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\HyperFontReview = "\"C:\\ChainBlockportcomnet\\HyperFontReview.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperFontReview = "\"C:\\ChainBlockportcomnet\\HyperFontReview.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Media Player\\fontdrvhost.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ChainBlockportcomnet\\services.exe\""	HyperFontReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\smss.exe\""	HyperFontReview.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD384A07C9B154FE1A48489305D657330.TMP	csc.exe
File created	\??\c:\Windows\System32\08qcxp.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\5b884080fd4f94	HyperFontReview.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe	HyperFontReview.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\69ddcba757bf72	HyperFontReview.exe
File created	C:\Program Files\Windows Media Player\fontdrvhost.exe	HyperFontReview.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\unsecapp.exe	HyperFontReview.exe
File opened for modification	C:\Windows\AppReadiness\unsecapp.exe	HyperFontReview.exe
File created	C:\Windows\AppReadiness\29c1c3cc0f7685	HyperFontReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sirius.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4760	PING.EXE
3788	PING.EXE
3116	PING.EXE
3844	PING.EXE
2740	PING.EXE
952	PING.EXE
3364	PING.EXE
4368	PING.EXE
3860	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	HyperFontReview.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	Sirius.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
3364	PING.EXE
2740	PING.EXE
3844	PING.EXE
952	PING.EXE
4760	PING.EXE
3788	PING.EXE
3116	PING.EXE
4368	PING.EXE
3860	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
872	schtasks.exe
2092	schtasks.exe
1900	schtasks.exe
2600	schtasks.exe
1356	schtasks.exe
868	schtasks.exe
4460	schtasks.exe
3288	schtasks.exe
232	schtasks.exe
3920	schtasks.exe
1872	schtasks.exe
2380	schtasks.exe
2096	schtasks.exe
2412	schtasks.exe
2156	schtasks.exe
3632	schtasks.exe
1540	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe
4360	HyperFontReview.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	HyperFontReview.exe
Token: SeDebugPrivilege	2644	services.exe
Token: SeDebugPrivilege	5072	services.exe
Token: SeDebugPrivilege	2496	services.exe
Token: SeDebugPrivilege	2768	services.exe
Token: SeDebugPrivilege	2144	services.exe
Token: SeDebugPrivilege	1160	services.exe
Token: SeDebugPrivilege	1872	services.exe
Token: SeDebugPrivilege	4552	services.exe
Token: SeDebugPrivilege	4448	services.exe
Token: SeDebugPrivilege	1536	services.exe
Token: SeDebugPrivilege	3372	services.exe
Token: SeDebugPrivilege	3960	services.exe
Token: SeDebugPrivilege	5076	services.exe
Token: SeDebugPrivilege	5080	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3900	2308	Sirius.exe	77
PID 2308 wrote to memory of 3900	2308	Sirius.exe	77
PID 2308 wrote to memory of 3900	2308	Sirius.exe	77
PID 3900 wrote to memory of 1496	3900	WScript.exe	78
PID 3900 wrote to memory of 1496	3900	WScript.exe	78
PID 3900 wrote to memory of 1496	3900	WScript.exe	78
PID 1496 wrote to memory of 4360	1496	cmd.exe	80
PID 1496 wrote to memory of 4360	1496	cmd.exe	80
PID 4360 wrote to memory of 4868	4360	HyperFontReview.exe	85
PID 4360 wrote to memory of 4868	4360	HyperFontReview.exe	85
PID 4868 wrote to memory of 4928	4868	csc.exe	87
PID 4868 wrote to memory of 4928	4868	csc.exe	87
PID 4360 wrote to memory of 3020	4360	HyperFontReview.exe	103
PID 4360 wrote to memory of 3020	4360	HyperFontReview.exe	103
PID 3020 wrote to memory of 3668	3020	cmd.exe	105
PID 3020 wrote to memory of 3668	3020	cmd.exe	105
PID 3020 wrote to memory of 3116	3020	cmd.exe	106
PID 3020 wrote to memory of 3116	3020	cmd.exe	106
PID 3020 wrote to memory of 2644	3020	cmd.exe	107
PID 3020 wrote to memory of 2644	3020	cmd.exe	107
PID 2644 wrote to memory of 4152	2644	services.exe	108
PID 2644 wrote to memory of 4152	2644	services.exe	108
PID 4152 wrote to memory of 4900	4152	cmd.exe	110
PID 4152 wrote to memory of 4900	4152	cmd.exe	110
PID 4152 wrote to memory of 396	4152	cmd.exe	111
PID 4152 wrote to memory of 396	4152	cmd.exe	111
PID 4152 wrote to memory of 5072	4152	cmd.exe	112
PID 4152 wrote to memory of 5072	4152	cmd.exe	112
PID 5072 wrote to memory of 1316	5072	services.exe	113
PID 5072 wrote to memory of 1316	5072	services.exe	113
PID 1316 wrote to memory of 2668	1316	cmd.exe	115
PID 1316 wrote to memory of 2668	1316	cmd.exe	115
PID 1316 wrote to memory of 2072	1316	cmd.exe	116
PID 1316 wrote to memory of 2072	1316	cmd.exe	116
PID 1316 wrote to memory of 2496	1316	cmd.exe	117
PID 1316 wrote to memory of 2496	1316	cmd.exe	117
PID 2496 wrote to memory of 4108	2496	services.exe	118
PID 2496 wrote to memory of 4108	2496	services.exe	118
PID 4108 wrote to memory of 1980	4108	cmd.exe	120
PID 4108 wrote to memory of 1980	4108	cmd.exe	120
PID 4108 wrote to memory of 3636	4108	cmd.exe	121
PID 4108 wrote to memory of 3636	4108	cmd.exe	121
PID 4108 wrote to memory of 2768	4108	cmd.exe	122
PID 4108 wrote to memory of 2768	4108	cmd.exe	122
PID 2768 wrote to memory of 916	2768	services.exe	123
PID 2768 wrote to memory of 916	2768	services.exe	123
PID 916 wrote to memory of 2504	916	cmd.exe	125
PID 916 wrote to memory of 2504	916	cmd.exe	125
PID 916 wrote to memory of 4368	916	cmd.exe	126
PID 916 wrote to memory of 4368	916	cmd.exe	126
PID 916 wrote to memory of 2144	916	cmd.exe	127
PID 916 wrote to memory of 2144	916	cmd.exe	127
PID 2144 wrote to memory of 1740	2144	services.exe	128
PID 2144 wrote to memory of 1740	2144	services.exe	128
PID 1740 wrote to memory of 2412	1740	cmd.exe	130
PID 1740 wrote to memory of 2412	1740	cmd.exe	130
PID 1740 wrote to memory of 3860	1740	cmd.exe	131
PID 1740 wrote to memory of 3860	1740	cmd.exe	131
PID 1740 wrote to memory of 1160	1740	cmd.exe	132
PID 1740 wrote to memory of 1160	1740	cmd.exe	132
PID 1160 wrote to memory of 4540	1160	services.exe	133
PID 1160 wrote to memory of 4540	1160	services.exe	133
PID 4540 wrote to memory of 4536	4540	cmd.exe	135
PID 4540 wrote to memory of 4536	4540	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Sirius.exe
"C:\Users\Admin\AppData\Local\Temp\Sirius.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainBlockportcomnet\NjC268YrIE3.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ChainBlockportcomnet\cz7Hmt9rVGQXaOiUvs0kcu0Nht.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\ChainBlockportcomnet\HyperFontReview.exe
      "C:\ChainBlockportcomnet/HyperFontReview.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d0uyyehu\d0uyyehu.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE413.tmp" "c:\Windows\System32\CSCD384A07C9B154FE1A48489305D657330.TMP"
        6⤵
        
        PID:4928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ferorpes5Y.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3668
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3116
      - C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tTiAPHrSld.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:396
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2072
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GG2IJpovkJ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3636
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iZ9ZaL1wLl.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3860
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2156
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat"
        19⤵
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KEJuvYQ32.bat"
        21⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3844
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat"
        23⤵
        
        PID:960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Bh0KQ75Gy.bat"
        25⤵
        
        PID:3884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4984
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat"
        27⤵
        
        PID:4824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        28⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Bh0KQ75Gy.bat"
        29⤵
        
        PID:412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1352
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        30⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat"
        31⤵
        
        PID:3308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3788
        
        C:\ChainBlockportcomnet\services.exe
        
        "C:\ChainBlockportcomnet\services.exe"
        32⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cO0v9X3fOA.bat"
        33⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\ChainBlockportcomnet\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ChainBlockportcomnet\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\ChainBlockportcomnet\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\ChainBlockportcomnet\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ChainBlockportcomnet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\ChainBlockportcomnet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\AppReadiness\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperFontReviewH" /sc MINUTE /mo 6 /tr "'C:\ChainBlockportcomnet\HyperFontReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperFontReview" /sc ONLOGON /tr "'C:\ChainBlockportcomnet\HyperFontReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperFontReviewH" /sc MINUTE /mo 10 /tr "'C:\ChainBlockportcomnet\HyperFontReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainBlockportcomnet\HyperFontReview.exe

Filesize
1.8MB

MD5
567cd508bc0600d5b2e390422d5801b7

SHA1
093d100e41e9d24b6b72e0f3d8b00ab7efcdb201

SHA256
4e180cc9f48bcc3ab5532dbc7b0a6ce389d5dda4c6a91aa078fc717ff9bddfef

SHA512
eb8ceabbf6c7518c76c2027533fea4c4a405c5f106edffea228e16e9fd0fa5d0365f5b480cb16f10129cf022ca1fdf1e102bb99c3e1fc8805f4a7a00bd57613e

Download Submit
C:\ChainBlockportcomnet\NjC268YrIE3.vbe

Filesize
225B

MD5
c116b7f56f9a648b221b2eb1738cc725

SHA1
fa990cef96e5a8566e0ebec696b30ef06beb96b0

SHA256
b3fe07c8d460ec9392585cabac43a635c5022cc58cc805b46ce66fed18736571

SHA512
68f07f604a0cea97cedaac041c61aa4eabf4f41b5901a3affc2a94c1678bc11cc4c6115d7afe3c31cc821053ef0d65562760c0214e720c7ad0f6ec6461673a1e

Download Submit
C:\ChainBlockportcomnet\cz7Hmt9rVGQXaOiUvs0kcu0Nht.bat

Filesize
77B

MD5
2ed11b1529600db8518888a8d4f1990e

SHA1
21961a59c7f22c04d0704f1a29c1e7720156f942

SHA256
eb402b7e0d0145ca49d3c43df2b134fd9a8f2ae3a07319a9cb0e70fba6e7d06b

SHA512
e40fa81fceb25ff396fb6bcdba1a15f3ce437ed4fda6754f4ff41d60a852cdc6aa25ab622652ccb0ab94e14ab9e56829cdfc4aaec233ca2307efa142ed34ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
f2e58a4d6897d4adf2e33ca36ace55ce

SHA1
67294a7cca4e465fa83b73debd117b3e6f8277d3

SHA256
c146c805685f0d4962c861f33b3ed0740cc7a21f97e79bdf0411dab030d85b1d

SHA512
5e1a8525517f2d1e0d2e422ad06ec3cf2e22252c77f320d36db6792f39b1f6473eb7a0d34518178f705921c51c2c2ded71c2167ab6605c6262d29da4c16e1bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0KEJuvYQ32.bat

Filesize
164B

MD5
84355e9d5604cba3901dcd1fe9749c2d

SHA1
49d55252651598714649f10860c4ab7eeca0b1d1

SHA256
2da23935682aa741693a72cbe6b55a0e566b2bcf6ed9a3b2f66f385d053e850b

SHA512
709c5a7dfe07fdc1c7f60e172c4340904b5a774f23b709aea146649cac7eef6625a54f767c1e4354c4b3f4d7e7d56655ee40a97e1f727d8006a6b971b481df80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat

Filesize
164B

MD5
c814bf559914086ff3235006a4b5fd1a

SHA1
0c7bbfe64744822cc2fd0f62054a008cbbeca1b3

SHA256
93700be27e23d5e87330809f233b74a086663f4c7587bec177611c594a98eaac

SHA512
8a785964caf239ad4c0149633d9981736ad0ff51336e781e0102a79cda826dffb1d90a47d4c6d63ce359b87516105c6cda627c7c1d6d4a8a2713845608d64737

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Bh0KQ75Gy.bat

Filesize
212B

MD5
ac957fe8329a3e315dd35e691f5d4d83

SHA1
a4cb17b0f913fd3ef61529abf37db80dbd577ff1

SHA256
dcb2cd1f12688fbb75bfa6dad99fe885d579426e4d878bc93db515c017562cfc

SHA512
5e370167f40ea2453ac4060581ebae655d4ee2fc3be4df2f4eb0ff0ccdf38fa164cec3fd7634223042b69aae03e42538463f5f81fd27666e8a0f8eeacf8a4984

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat

Filesize
164B

MD5
d26795f5a09fdc9b3bfac9de405dc9bc

SHA1
a2dc830f5b06dbb8c4ef7907185abfd324b7fbe1

SHA256
70a38c19742ae1b4000a49e48096e9be3bdc0e3c60b6eba03d16da2ae70cfb44

SHA512
ef86ece701db5a71ad9c1d06e58bffb1e68ac0cd0692d1b0ef98f29ef67e3fbed8a9337941cf88561fb4aa5547d507c4c9a09a8b8f0ef7d41365072f2b63371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat

Filesize
212B

MD5
8cb30d436b9ae9a660e9f77008b651bf

SHA1
6890c464bf4b087c6cc5562588502c06ec57f3f4

SHA256
c0e04153d52e955a274f600dec172b2f1a40efdabb1d99a96d516a0ee1696792

SHA512
9fb2e9713aaea92373c460cb12da8ba4c1760ce3188327439660745ca062b2c547c192e812274548ff5317e8c174f6c33c9cf958230eaa181ea2af973452eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\GG2IJpovkJ.bat

Filesize
212B

MD5
bd428211986a822bd57e75a763dd4fd1

SHA1
d52d3ca182c364fbabf29fc82159541ef0b3314e

SHA256
db32051cd7c9739532365280581906ad1aa258ecb71dcfacc8520799bc90ae8d

SHA512
31822dbe5b906d2d2c476cf14e8705efb8e50e12e36f716c2b0db17cead7a83d40ef53327872cdab79a5835e282bea0bb2de76bd3336ea060a2e9757c6187270

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE413.tmp

Filesize
1KB

MD5
2ec0b7ea6a7cd6349f314fbc00cad71e

SHA1
4e5f9156d97146b6b408db3a7f20d4291fada187

SHA256
126078b7fe0ca3813b9f35f9d9316e8ea923be27efffbd0e70612670ca5fca33

SHA512
b15b051a3e7c64b7e60997ea3db01584af42d66b785f38289f0cb5e5bc142283aa60754673803c02cce2f2a63338bbdae63178dca8872b9301bb336c5df52619

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat

Filesize
212B

MD5
6bb5d86630cd72538e8f1c369520af53

SHA1
a2183aaa33ddfdf477a7baa50ad1fd6d2b2228aa

SHA256
d9379e7bfba472b40d1cd69eeaf709327b75ee92a76f8c7ac2eaa8610cbe75e5

SHA512
71c7bbd6a83e495c67b2daa477a1d64c863ce5cfeed70759c036c13ba379b0307122497c74ff2ffb0f50e2e0df05988d435f9f7c77bc53e8585fbce7dec09809

Download Submit
C:\Users\Admin\AppData\Local\Temp\cO0v9X3fOA.bat

Filesize
164B

MD5
207b6293d94e2948167cbab3b8cc547d

SHA1
7318b51c217e04a5b6cf9612c6d8b0dd9ec94334

SHA256
ab8ac23cc63f23f80bb1b4e3d8077f79113f5a28a438e63d50621102186f9dbd

SHA512
b72930f7e6b497a92d88c03f3841f0e014f8420ba1dadc7b2b27bfa0cee7bcf7bf318084ddafd78739805d73713fc5c89f67786ca3e17f2986a15bdf62b7ae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ferorpes5Y.bat

Filesize
164B

MD5
a98a0228dab4a6d61095741e339e1763

SHA1
2d64a42069b7a11b225353fb806f0ae435cd0eb9

SHA256
0289ebf8bcaa5175d54bce68ae2b508d6f403da3b6db53c986e5535b2c3d7205

SHA512
0914f22c90ab9983eaa20f2d76b8646584d9171c040d0b6ea3adfb2c739bdf8ea61f67b1610f6a46ab5e9b0d651bae0248fe973a5e661df26f9297e9d41d9e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZ9ZaL1wLl.bat

Filesize
164B

MD5
b2d79f496ba1d7bdef13d7f90350b231

SHA1
b852c6e0c1e549df5235f878258093982abe73b2

SHA256
cac1e97c3b286ed7489a338637d0170494d9ae7009ef8e200e4bca0e287e1a53

SHA512
0561721db3b668fffa3399d2e1263e6dd410c43e422013a68e7c89a1d3a32d5140c5ab2ea24d95ff7a844b1190dab412f91be44e1f20b8a5db082280317021db

Download Submit
C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat

Filesize
164B

MD5
9bdd75d868f63b0216d9b58097413e08

SHA1
639e3a8ae6af13b8bd39aa44b801d55450983e5d

SHA256
b076cf314942c0d5175dd90c08c4594b0ca73d00f01eba9d8b4a8be93d553993

SHA512
a4dca263259aa58e0648f549c247437b88fce3a3a751ce8468118dbd71af1cc3412086f3efd882f8ea712fc8fea195090a7b93cf1a10410cc54982b3cf0e5add

Download Submit
C:\Users\Admin\AppData\Local\Temp\tTiAPHrSld.bat

Filesize
212B

MD5
449ccecc5eb88a8081ceb7931b8f00ef

SHA1
35ccdd9e68072730fbbd5ffac8c0dfcfc20d719f

SHA256
e0459f4f907316336750ba70c519382dff94adb2dea5dc72fc2582e48a0078ed

SHA512
79cd68291b49999952b2686461c528dfdfa70ea6441ac6ee861c98e8aa4b3f092543e54aab78bce581589f13cf723591a47317077f731cf6ec8c79f2544a2108

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat

Filesize
164B

MD5
63b011c827101776e501b38713f1ba1d

SHA1
c6fceff8ffec60062adb57cc13ce7f8a76c8d67b

SHA256
494068bfec040ae1413241e371f028081be4605115153d9f1b06901cd649c272

SHA512
d9220fd3b2510015008da07bf9a5ff553c766191b47db3b9d5e2dec5fd5e4269276fa544fcea2f317a1bebabe38280cdafbf16bec271fcaf1822352976c0b81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat

Filesize
164B

MD5
b33df6bc5f72537aa51f160515bb00df

SHA1
4b535ce39f11c847d9f47216fa5f983ad1efdc31

SHA256
8bd7564650964e4b141fd0cbda473e9509775240cd1c8cd414697a1845c66ed3

SHA512
b90d225e855b618b416bdc9d4f697241730c638191628ab9672a68f05311a173df43f97393798cefb61b37fb005d4f9dc04dafc2d2f85ae941ce0f5dedc8181c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0uyyehu\d0uyyehu.0.cs

Filesize
385B

MD5
98079a99a996f2de39e373c1615f4361

SHA1
947f1f3c9e9fb5b1d91760f3b185d394f490a856

SHA256
89e013980bed9323fe0f6ba86edbb30f3923c44ee5134a87e2cc6ca2b7bcd696

SHA512
2d2f3f840312f890cb39468cba1958281238fd1f17f4c1608a84040fab55fa73e875fe60472f3af6252e73ecdc9d3a1ac286c14aceee730d9b61b3f27f7b9234

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0uyyehu\d0uyyehu.cmdline

Filesize
235B

MD5
feb930f5a840a1a3fce5a9148f21680b

SHA1
3df020d9a7c04f518dc7873911904bac3561e5b6

SHA256
ec062ef794beff9fc4f73c38131f0289ba05241dbe5462c9a927d0b4be6c8423

SHA512
6b456b73a90789954229a0e67ff0a8b73af6cd1d42ea4679e58cbed4bfbb25557fd67efb4c3df4023d63e6cf461bee04a2d28c8cd3fae15b41fce0807f667fbf

Download Submit
\??\c:\Windows\System32\CSCD384A07C9B154FE1A48489305D657330.TMP

Filesize
1KB

MD5
f6b0cf33d40800ff7679b60ed7444811

SHA1
42a5e5c721ca22c13948e6ff98922dab96f8a9ef

SHA256
3a62ebbf47ddd57e7f21d7c6396d2b1fde922394d2d3e76de4ecc9912aaf274c

SHA512
c79cec62649ce22cb8a38b2bdd515c1f4d9fba2f9db5d650a158b3cc0d03caa6e78df72aa767a45d6719d02ed5dfe400f8efca07a8138bd391df49f04f147f00

Download Submit
memory/4360-20-0x000000001C4F0000-0x000000001C508000-memory.dmp

Filesize
96KB

Download
memory/4360-18-0x000000001C540000-0x000000001C590000-memory.dmp

Filesize
320KB

Download
memory/4360-17-0x000000001B5D0000-0x000000001B5EC000-memory.dmp

Filesize
112KB

Download
memory/4360-15-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

Filesize
56KB

Download
memory/4360-13-0x00000000008A0000-0x0000000000A7A000-memory.dmp

Filesize
1.9MB

Download
memory/4360-22-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

Filesize
48KB

Download
memory/4360-12-0x00007FFC2A033000-0x00007FFC2A035000-memory.dmp

Filesize
8KB

Download