dcrat | fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
Size

2.0MB
MD5

ff6e26dc9893c97196aefe245defeff9
SHA1

6ec3649790e948299b43bc522ee6d3fc9d10f769
SHA256

fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
SHA512

6c4f76b35b0a90ca8e132d20a3b9d0eaf4752c6c49efe9a6f180b3b7a2091af55f8cab0be881e499a90da496ccbce7550eba4d8a3bc124060b429d44fb08e0a0
SSDEEP

49152:1Djlabwz9WV429A3twp/pZ5zUg45hGUrf/osAX4RUhpKT/+qYiv:Zqw+T9ewpRzz6OUkR4R7TmqYK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\dllhost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\dllhost.exe\", \"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	blockPortServerdriverRuntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2476	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2476	schtasks.exe	34

Executes dropped EXE 16 IoCs

pid	Process
2484	blockPortServerdriverRuntime.sfx.exe
2924	blockPortServerdriverRuntime.exe
1680	sppsvc.exe
880	sppsvc.exe
1700	sppsvc.exe
2712	sppsvc.exe
1092	sppsvc.exe
2180	sppsvc.exe
2876	sppsvc.exe
3068	sppsvc.exe
752	sppsvc.exe
1720	sppsvc.exe
2808	sppsvc.exe
1200	sppsvc.exe
2008	sppsvc.exe
2404	sppsvc.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Recent\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Recent\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\dllhost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\dllhost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	blockPortServerdriverRuntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6C36C6D933A48929EBE5248F29CD10.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\dllhost.exe	blockPortServerdriverRuntime.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\dllhost.exe	blockPortServerdriverRuntime.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\5940a34987c991	blockPortServerdriverRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2000	PING.EXE
2064	PING.EXE
2908	PING.EXE
2684	PING.EXE
2368	PING.EXE
2384	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2384	PING.EXE
2000	PING.EXE
2064	PING.EXE
2908	PING.EXE
2684	PING.EXE
2368	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1332	schtasks.exe
1500	schtasks.exe
2488	schtasks.exe
1672	schtasks.exe
2860	schtasks.exe
2856	schtasks.exe
2380	schtasks.exe
3064	schtasks.exe
1092	schtasks.exe
2028	schtasks.exe
2260	schtasks.exe
956	schtasks.exe
2148	schtasks.exe
2248	schtasks.exe
2988	schtasks.exe
1148	schtasks.exe
2068	schtasks.exe
2152	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 14 IoCs

pid	Process
1680	sppsvc.exe
880	sppsvc.exe
1700	sppsvc.exe
2712	sppsvc.exe
1092	sppsvc.exe
2180	sppsvc.exe
2876	sppsvc.exe
3068	sppsvc.exe
752	sppsvc.exe
1720	sppsvc.exe
2808	sppsvc.exe
1200	sppsvc.exe
2008	sppsvc.exe
2404	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
2924	blockPortServerdriverRuntime.exe
1680	sppsvc.exe
1680	sppsvc.exe
1680	sppsvc.exe
1680	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	1680	sppsvc.exe
Token: SeDebugPrivilege	880	sppsvc.exe
Token: SeDebugPrivilege	1700	sppsvc.exe
Token: SeDebugPrivilege	2712	sppsvc.exe
Token: SeDebugPrivilege	1092	sppsvc.exe
Token: SeDebugPrivilege	2180	sppsvc.exe
Token: SeDebugPrivilege	2876	sppsvc.exe
Token: SeDebugPrivilege	3068	sppsvc.exe
Token: SeDebugPrivilege	752	sppsvc.exe
Token: SeDebugPrivilege	1720	sppsvc.exe
Token: SeDebugPrivilege	2808	sppsvc.exe
Token: SeDebugPrivilege	1200	sppsvc.exe
Token: SeDebugPrivilege	2008	sppsvc.exe
Token: SeDebugPrivilege	2404	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2568	2512	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	30
PID 2512 wrote to memory of 2568	2512	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	30
PID 2512 wrote to memory of 2568	2512	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	30
PID 2568 wrote to memory of 2484	2568	cmd.exe	32
PID 2568 wrote to memory of 2484	2568	cmd.exe	32
PID 2568 wrote to memory of 2484	2568	cmd.exe	32
PID 2484 wrote to memory of 2924	2484	blockPortServerdriverRuntime.sfx.exe	33
PID 2484 wrote to memory of 2924	2484	blockPortServerdriverRuntime.sfx.exe	33
PID 2484 wrote to memory of 2924	2484	blockPortServerdriverRuntime.sfx.exe	33
PID 2924 wrote to memory of 1484	2924	blockPortServerdriverRuntime.exe	38
PID 2924 wrote to memory of 1484	2924	blockPortServerdriverRuntime.exe	38
PID 2924 wrote to memory of 1484	2924	blockPortServerdriverRuntime.exe	38
PID 1484 wrote to memory of 576	1484	csc.exe	40
PID 1484 wrote to memory of 576	1484	csc.exe	40
PID 1484 wrote to memory of 576	1484	csc.exe	40
PID 2924 wrote to memory of 1816	2924	blockPortServerdriverRuntime.exe	56
PID 2924 wrote to memory of 1816	2924	blockPortServerdriverRuntime.exe	56
PID 2924 wrote to memory of 1816	2924	blockPortServerdriverRuntime.exe	56
PID 1816 wrote to memory of 1556	1816	cmd.exe	58
PID 1816 wrote to memory of 1556	1816	cmd.exe	58
PID 1816 wrote to memory of 1556	1816	cmd.exe	58
PID 1816 wrote to memory of 2156	1816	cmd.exe	59
PID 1816 wrote to memory of 2156	1816	cmd.exe	59
PID 1816 wrote to memory of 2156	1816	cmd.exe	59
PID 1816 wrote to memory of 1680	1816	cmd.exe	61
PID 1816 wrote to memory of 1680	1816	cmd.exe	61
PID 1816 wrote to memory of 1680	1816	cmd.exe	61
PID 1816 wrote to memory of 1680	1816	cmd.exe	61
PID 1816 wrote to memory of 1680	1816	cmd.exe	61
PID 1680 wrote to memory of 1172	1680	sppsvc.exe	62
PID 1680 wrote to memory of 1172	1680	sppsvc.exe	62
PID 1680 wrote to memory of 1172	1680	sppsvc.exe	62
PID 1172 wrote to memory of 2456	1172	cmd.exe	64
PID 1172 wrote to memory of 2456	1172	cmd.exe	64
PID 1172 wrote to memory of 2456	1172	cmd.exe	64
PID 1172 wrote to memory of 2384	1172	cmd.exe	65
PID 1172 wrote to memory of 2384	1172	cmd.exe	65
PID 1172 wrote to memory of 2384	1172	cmd.exe	65
PID 1172 wrote to memory of 880	1172	cmd.exe	66
PID 1172 wrote to memory of 880	1172	cmd.exe	66
PID 1172 wrote to memory of 880	1172	cmd.exe	66
PID 1172 wrote to memory of 880	1172	cmd.exe	66
PID 1172 wrote to memory of 880	1172	cmd.exe	66
PID 880 wrote to memory of 2204	880	sppsvc.exe	67
PID 880 wrote to memory of 2204	880	sppsvc.exe	67
PID 880 wrote to memory of 2204	880	sppsvc.exe	67
PID 2204 wrote to memory of 2552	2204	cmd.exe	69
PID 2204 wrote to memory of 2552	2204	cmd.exe	69
PID 2204 wrote to memory of 2552	2204	cmd.exe	69
PID 2204 wrote to memory of 2560	2204	cmd.exe	70
PID 2204 wrote to memory of 2560	2204	cmd.exe	70
PID 2204 wrote to memory of 2560	2204	cmd.exe	70
PID 2204 wrote to memory of 1700	2204	cmd.exe	71
PID 2204 wrote to memory of 1700	2204	cmd.exe	71
PID 2204 wrote to memory of 1700	2204	cmd.exe	71
PID 2204 wrote to memory of 1700	2204	cmd.exe	71
PID 2204 wrote to memory of 1700	2204	cmd.exe	71
PID 1700 wrote to memory of 2768	1700	sppsvc.exe	72
PID 1700 wrote to memory of 2768	1700	sppsvc.exe	72
PID 1700 wrote to memory of 2768	1700	sppsvc.exe	72
PID 2768 wrote to memory of 2896	2768	cmd.exe	74
PID 2768 wrote to memory of 2896	2768	cmd.exe	74
PID 2768 wrote to memory of 2896	2768	cmd.exe	74
PID 2768 wrote to memory of 2772	2768	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
"C:\Users\Admin\AppData\Local\Temp\fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\blockPortServerdriverRuntime.sfx.exe
    blockPortServerdriverRuntime.sfx.exe -p1234
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\blockPortServerdriverRuntime.exe
      "C:\blockPortServerdriverRuntime.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yb5quqll\yb5quqll.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC275.tmp" "c:\Windows\System32\CSC6C36C6D933A48929EBE5248F29CD10.TMP"
        6⤵
        
        PID:576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\noVjtIxUE0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2156
      - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ibWrXDwbZz.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2560
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oXOdSEs2zx.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2772
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zsJdcY9yPm.bat"
        13⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1684
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SJ5NCAOpEX.bat"
        15⤵
        
        PID:2836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat"
        17⤵
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2144
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6HUNmoPWiE.bat"
        19⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2508
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat"
        21⤵
        
        PID:616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1072
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpLz1yvSlu.bat"
        23⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7p8ySQy6iH.bat"
        25⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"
        27⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jAyUy8CkP5.bat"
        29⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1484
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"
        31⤵
        
        PID:496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat"
        33⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 12 /tr "'C:\blockPortServerdriverRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntime" /sc ONLOGON /tr "'C:\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 10 /tr "'C:\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
62B

MD5
3caf9e84bed0774d4503d0a9832e3489

SHA1
57e750cc31918f91bf15309f182f5b84265ecfcc

SHA256
2b335dd0175798cd62d16dc74c7961835afe69f47e4c04529caba0b1dd9d1aa2

SHA512
e359ad56cad85fb27617f4393dfe6a33a454d506fe4be0024814175f3fb12b5ef7c3e9e3e2c1d6dcbec90d6f54015e9210b499e5ff8a2f537a1f46abccb42100

Download Submit
C:\Users\Admin\AppData\Local\Temp\6HUNmoPWiE.bat

Filesize
235B

MD5
3947cd7de6c9660b21c3e4b881d21000

SHA1
6243f55d49024f76d93b988b868f268567daa587

SHA256
4e92650ecd4d632961b8256c2d1b0d4553e910ade1e021bb44c792f8c90efcbc

SHA512
d2ed3532a6953872024a733a9820bae17370f368315494666ad34600432f8757b1acb2726f00c4fa4cc29a8c7a332832309be19a306feb3fb98d0155361aad66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7p8ySQy6iH.bat

Filesize
187B

MD5
535789f94df4c74f4931919900fe03ae

SHA1
24699b9a0fc36d5ae9de9c4ce0aae41b9eaa00fb

SHA256
fcee5a99d9ce046091aeab4fdf88ba899f6ab93667e372975aa3db5d8472e501

SHA512
887a3ce0d1272ff671c590456bc70506a083f6060db5b840bca7c5d3f9e876cb3c157041027d4d4321286c4a6fd5e163c23539314a4dd2fa6df7dccb61b6e73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat

Filesize
235B

MD5
a6e1bd5d48e0fece8ba46965cede208b

SHA1
fd950aa629efcf00a11498b93dd822384d3b2ff6

SHA256
4a3a9703e04380521c5e6d8ea0d12e79c998911418c2549f4598e84a1844a601

SHA512
fb86b411b82268b33936309f73b82975155a9c098309462b7f29a07cf41581f8bebdbf32e6a25e38a524c217d88a10017505b5e4dd48c37460f45b9e487b40f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat

Filesize
235B

MD5
66d26b2fa73832221fb812b6880e4f8c

SHA1
51fe61c41a5906f6bc6a6b172412738fef4ed058

SHA256
6bec60bd45fc005b105cc1fb848db037ec4919d7d377d210e12345ad75939fbb

SHA512
d2bb199e97f6e6104b275a18bb9f4d9d91932445c6621c6be64863e38fc1d0a568d867add97a0d9aecf406ef54fee654b8ee5bdee9393cf841ff14ac8d1112e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC275.tmp

Filesize
1KB

MD5
cf249ad0b6ba5ef7f376b32f9fcb2964

SHA1
153e24cc5612327cc0631a284596887ea30c13d5

SHA256
7962eaabbb9bb07cfaab7436ceb2051b23a1776d0c38f1591762fb33685329ad

SHA512
ec43849fef704d6ccb13bf8f478ad6b61324cd8fe05aece464d716ce06fe5c32ba00b538571027a5617bc963932ebe9cdbf26d8d453381ae2c9ab284aff776fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJ5NCAOpEX.bat

Filesize
187B

MD5
0e60e7cbce37bef02b5181217f2d9e02

SHA1
be076b495d7a27cbf4fd0f75a53ca8493413306a

SHA256
313a92cba4abaa859269581bb5307799a9b7ad98cb9a7339a9872b5c71fb6597

SHA512
2008f0659d6ca0522a5c2fb7b0083108f59cef895d51fdd56d67c0404855bbd0eb84f2e5b0bb6c72a9bebfcb03d7d8b9e857ce33e48980e4b94c924f75e53e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat

Filesize
187B

MD5
cae13302e98ec933c87ed57d285bce21

SHA1
9751ec3b4f5bd1f1f759dc5b17f1b279dc7725f1

SHA256
ce28d7846cd3a7e2e961441700da7665e3b4849548200b1be5c8007add307a18

SHA512
1a88c7abef6d542c65c33d2cf69acd0dfa8bfae41a77b0950f7e853715b6b7160dcaafcb812ae0dd055fce50c21795203753b3475e8e9d0646b26bbf831f2c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat

Filesize
187B

MD5
5997121e1bbdf743e17879f43d74346d

SHA1
1e2fb3be1a20ee3bf66b1232f46833a7efc449a4

SHA256
1a210df557dfdfa9b14a221dd2e1b234bb2da912ce078b670c22218806e09c3c

SHA512
3fceff46dd6a13ceff56275ffccae8a0ddf2c6cc0dcad2553738fde5f894f54672b470adaeb8865851b2d5405f26dc31d40f7bb75348b030c417107f3dc16d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibWrXDwbZz.bat

Filesize
187B

MD5
7e885a7377c03155d0148489aa8a2430

SHA1
adc2dd813076c53cb572a70c0afaf4c255efb39e

SHA256
e0f0953e8dacc111835ce226e5d8aae104b2b4ede3c024767922934661f04037

SHA512
6d2d7a75f4f1cda399a544169f23988ee8fb5c3bd95e2f1f5c13fecd8eae79f81caf72261e97eb085956a1ec010d6b45fd762a7a7a84c3f78c64929a4846ce3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat

Filesize
235B

MD5
6c9123761c9855721d6dd06e37e38c88

SHA1
2b6cf0b8547eda1efdc4b5b0a9fea6842d677fa4

SHA256
2aaad6df832bbccfec2c1314d4c39d6a9c6eb0ae839c4a48b09ec5179dd7d70d

SHA512
1a293541c04de8be598ea7f8142788ecccb5f3dc55eb9ab06bd75a14d5a4e4a9dbcc0050c2e4e706c1381af7a60b7cb36603b55f6c8db0553128fb54eabb0a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAyUy8CkP5.bat

Filesize
235B

MD5
dea7b2d9461d5089ce2bbff26f4bdfa1

SHA1
ce959bb2c5a77eb8fee6a04965c438821c62539c

SHA256
e4afbe0386fe4b4c5f804c9e69a0dd0f76c1bf0014ccd2549dc4af4316b41fec

SHA512
8dc5f2e2a0ba0a2fbab6bdf0353c0a2c8acf32c9a8361dd6d2e7a3fc7db1a81e522862c0decf26d360d521fe3da12ad0acb8c9aa1b069245de8947433dc30c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpLz1yvSlu.bat

Filesize
187B

MD5
ed0e4f6499c6658c37131e42e4ec10b7

SHA1
ff5bdacf56df587963fdb0205233210d541f7fad

SHA256
4c073a36e641d5d206f841f1ac6893598c83f024c5d292bfe15cc63d1648c66c

SHA512
2def68bc7f03e36ddc5e868aac4a78114ee723f784bf0b57e3d3831b94ae88bb8d97d33911d22cfa2eb18541ae10fb77791a8e8a33aa994a331791ce9d734648

Download Submit
C:\Users\Admin\AppData\Local\Temp\noVjtIxUE0.bat

Filesize
235B

MD5
ab254fcb8c4616033405b86714be8b5e

SHA1
e81d360f4287703ac0f7bc2c95abdf2c640659ab

SHA256
c9c092740e8bf523072718e13a10d267f232291322dda57447928ab92a1986ba

SHA512
e797e250878684c798bbff615de3acb708de1610ed6f33bbc3502fda8751d176a7bd497b652c00e22899bf3350e2b91f652201842de8426661f620e8a2bf8e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\oXOdSEs2zx.bat

Filesize
235B

MD5
b438add77cd0dd1e93d603fbd30a914e

SHA1
d73490241fbbdd75d83a72ec2d228b99253a4f86

SHA256
2e93d48d8aaa5cbac8f2f3ba23276401bd2d60d4875cfa1610b888590d705e3c

SHA512
c1a25c7778d90bb487946787c938d4312efa90f28934188579b396d7437fb100b787b1a1794b3454bb1e49ea670376e73fe2aea0d2a75c1e75f49190266ef9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat

Filesize
235B

MD5
fd0fdcbd0d3e03923cb51bbc30295c58

SHA1
bfc85122920ac2d837634856e20c1ae013362790

SHA256
d750db683f1398fe90bcd51f7d5987b5a5f653f748f4f1aceb902bd103f11f62

SHA512
4abc37e2aa47a468f31ad860f1ba6a4043218efc74f18c4a664b1dc866b641ecf49b8f35953178807f84780579244855a9a298a8ed007db815ee56acb4e1c117

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsJdcY9yPm.bat

Filesize
235B

MD5
e09c201984360fb65863464ffe65a99c

SHA1
b9b79e728e662e586a5acee0a6715209206ef69c

SHA256
af951dddecb5ae8e43090a4be900bf683a51df6859fb56dd88d2d0576b7a41ab

SHA512
891a9419f2691385bc7bd6b2179050dcf3c75ec84bc7827f6347bd311fd54ba4d713719ca7e950a8841eca8803dfa9f3d7e21d504f05e3eb58ca24af1f68db84

Download Submit
C:\blockPortServerdriverRuntime.exe

Filesize
1.8MB

MD5
cd66d0673239c0998cf9f49c73f15cd3

SHA1
67054ee170e7a637dddc1604081815fb3e9d04e3

SHA256
eb7028f8db4bf6e44ef8e3d2250304c604cbd350d93529d2bfe24ddf773383de

SHA512
328e36bd61e8a00f10ea22af5e86921278217c23546f7502e5ed02881d8c1155372578d83141e8da3e564c3fce7bf212493b15e74585d97d67644dc6f4184274

Download Submit
C:\blockPortServerdriverRuntime.sfx.exe

Filesize
1.8MB

MD5
b5a4e3bf294fd3e5b4d82af34eeca853

SHA1
ba027c0af5d3c7c5e38b25ee037cd157037096bc

SHA256
3b20edc0a80f388a8178aa1b540b335e66810f8be9deb5fc9876ecbd848f7ff6

SHA512
00aa0a2befd1cfbf2b72941d34bd1042a3b5e27016f3775276cd46778c94b64a5a0ca03283a52f60d00fa11ef4d787a5d72b0fd2971a5bdec9203e43e3a85952

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yb5quqll\yb5quqll.0.cs

Filesize
391B

MD5
ab5200f44c5de0736bfd9d9745463e22

SHA1
37ff95db5ce3bf8439a2fd120940ee2a8fb922b2

SHA256
23bd986ccab72f0a35430dc9797c7dcf564cfc5e191f12e7a4c687d218cb88b3

SHA512
930e50040604aeef63897d2d0b80cd4c0ee1a25084072992c1814a80597ba2c808e42577035190dd73a8721cb68117166bd0d22a32c6d133ed4656d270008e98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yb5quqll\yb5quqll.cmdline

Filesize
235B

MD5
e44cf878ad73942240933f4fd00587e2

SHA1
88538c707919db3380e409aa2913dac73438861f

SHA256
b409f34a158c736a9325032c69d21715bb34b43eb2a4a39e6592512d76693ff3

SHA512
f69dfc827ff61174363b175c967c50f898a580406258d34cab2fffc67e5847594f6308790e3858eb7cfff4584c3faa0d2e8ba0c741f9e2df159509f94a5631eb

Download Submit
\??\c:\Windows\System32\CSC6C36C6D933A48929EBE5248F29CD10.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
memory/752-161-0x00000000008E0000-0x0000000000ABA000-memory.dmp

Filesize
1.9MB

Download
memory/1200-193-0x0000000001010000-0x00000000011EA000-memory.dmp

Filesize
1.9MB

Download
memory/1680-77-0x0000000001290000-0x000000000146A000-memory.dmp

Filesize
1.9MB

Download
memory/1720-172-0x0000000000A80000-0x0000000000C5A000-memory.dmp

Filesize
1.9MB

Download
memory/2008-204-0x0000000001390000-0x000000000156A000-memory.dmp

Filesize
1.9MB

Download
memory/2876-139-0x0000000000300000-0x00000000004DA000-memory.dmp

Filesize
1.9MB

Download
memory/2924-43-0x0000000002080000-0x0000000002098000-memory.dmp

Filesize
96KB

Download
memory/2924-74-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-45-0x0000000001FB0000-0x0000000001FBC000-memory.dmp

Filesize
48KB

Download
memory/2924-41-0x0000000002060000-0x000000000207C000-memory.dmp

Filesize
112KB

Download
memory/2924-39-0x0000000001FA0000-0x0000000001FAE000-memory.dmp

Filesize
56KB

Download
memory/2924-37-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-36-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-35-0x0000000000200000-0x00000000003DA000-memory.dmp

Filesize
1.9MB

Download
memory/2924-34-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/3068-150-0x0000000000850000-0x0000000000A2A000-memory.dmp

Filesize
1.9MB

Download