dcrat | fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
Size

2.0MB
MD5

ff6e26dc9893c97196aefe245defeff9
SHA1

6ec3649790e948299b43bc522ee6d3fc9d10f769
SHA256

fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
SHA512

6c4f76b35b0a90ca8e132d20a3b9d0eaf4752c6c49efe9a6f180b3b7a2091af55f8cab0be881e499a90da496ccbce7550eba4d8a3bc124060b429d44fb08e0a0
SSDEEP

49152:1Djlabwz9WV429A3twp/pZ5zUg45hGUrf/osAX4RUhpKT/+qYiv:Zqw+T9ewpRzz6OUkR4R7TmqYK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\", \"C:\\Program Files\\Java\\jre7\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\", \"C:\\Program Files\\Java\\jre7\\blockPortServerdriverRuntime.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\WMIADAP.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\", \"C:\\Program Files\\Java\\jre7\\blockPortServerdriverRuntime.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\Cursors\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\", \"C:\\Program Files\\Java\\jre7\\blockPortServerdriverRuntime.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\Cursors\\csrss.exe\", \"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\""	blockPortServerdriverRuntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1676	schtasks.exe	35

Executes dropped EXE 17 IoCs

pid	Process
2640	blockPortServerdriverRuntime.sfx.exe
2220	blockPortServerdriverRuntime.exe
1340	csrss.exe
3048	csrss.exe
2612	csrss.exe
2836	csrss.exe
2784	csrss.exe
2856	csrss.exe
2540	csrss.exe
1284	csrss.exe
2380	csrss.exe
2464	csrss.exe
2372	csrss.exe
2700	csrss.exe
1768	csrss.exe
2948	csrss.exe
1444	csrss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\Program Files\\Java\\jre7\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Defender\\it-IT\\WMIADAP.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Cursors\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Internet Explorer\\en-US\\explorer.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\Program Files\\Java\\jre7\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Defender\\it-IT\\WMIADAP.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Cursors\\csrss.exe\""	blockPortServerdriverRuntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE3063840D250461381F14D1A9D3638A.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\7a0fd90576e088	blockPortServerdriverRuntime.exe
File created	C:\Program Files\Windows Defender\it-IT\WMIADAP.exe	blockPortServerdriverRuntime.exe
File created	C:\Program Files\Windows Defender\it-IT\75a57c1bdf437c	blockPortServerdriverRuntime.exe
File created	C:\Program Files\Java\jre7\blockPortServerdriverRuntime.exe	blockPortServerdriverRuntime.exe
File created	C:\Program Files\Java\jre7\cf08707360d051	blockPortServerdriverRuntime.exe
File created	C:\Program Files\Internet Explorer\en-US\explorer.exe	blockPortServerdriverRuntime.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\csrss.exe	blockPortServerdriverRuntime.exe
File created	C:\Windows\Cursors\886983d96e3d3e	blockPortServerdriverRuntime.exe
File created	C:\Windows\Cursors\csrss.exe	blockPortServerdriverRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1592	PING.EXE
1856	PING.EXE
2424	PING.EXE
1384	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1592	PING.EXE
1856	PING.EXE
2424	PING.EXE
1384	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2812	schtasks.exe
1688	schtasks.exe
1640	schtasks.exe
2780	schtasks.exe
1940	schtasks.exe
1032	schtasks.exe
2772	schtasks.exe
2896	schtasks.exe
2148	schtasks.exe
1812	schtasks.exe
2888	schtasks.exe
2368	schtasks.exe
2988	schtasks.exe
2416	schtasks.exe
920	schtasks.exe
2600	schtasks.exe
1112	schtasks.exe
780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe
2220	blockPortServerdriverRuntime.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	1340	csrss.exe
Token: SeDebugPrivilege	3048	csrss.exe
Token: SeDebugPrivilege	2612	csrss.exe
Token: SeDebugPrivilege	2836	csrss.exe
Token: SeDebugPrivilege	2784	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	2540	csrss.exe
Token: SeDebugPrivilege	1284	csrss.exe
Token: SeDebugPrivilege	2380	csrss.exe
Token: SeDebugPrivilege	2464	csrss.exe
Token: SeDebugPrivilege	2372	csrss.exe
Token: SeDebugPrivilege	2700	csrss.exe
Token: SeDebugPrivilege	1768	csrss.exe
Token: SeDebugPrivilege	2948	csrss.exe
Token: SeDebugPrivilege	1444	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1164	2452	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	31
PID 2452 wrote to memory of 1164	2452	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	31
PID 2452 wrote to memory of 1164	2452	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	31
PID 1164 wrote to memory of 2640	1164	cmd.exe	33
PID 1164 wrote to memory of 2640	1164	cmd.exe	33
PID 1164 wrote to memory of 2640	1164	cmd.exe	33
PID 2640 wrote to memory of 2220	2640	blockPortServerdriverRuntime.sfx.exe	34
PID 2640 wrote to memory of 2220	2640	blockPortServerdriverRuntime.sfx.exe	34
PID 2640 wrote to memory of 2220	2640	blockPortServerdriverRuntime.sfx.exe	34
PID 2220 wrote to memory of 320	2220	blockPortServerdriverRuntime.exe	39
PID 2220 wrote to memory of 320	2220	blockPortServerdriverRuntime.exe	39
PID 2220 wrote to memory of 320	2220	blockPortServerdriverRuntime.exe	39
PID 320 wrote to memory of 1984	320	csc.exe	41
PID 320 wrote to memory of 1984	320	csc.exe	41
PID 320 wrote to memory of 1984	320	csc.exe	41
PID 2220 wrote to memory of 580	2220	blockPortServerdriverRuntime.exe	57
PID 2220 wrote to memory of 580	2220	blockPortServerdriverRuntime.exe	57
PID 2220 wrote to memory of 580	2220	blockPortServerdriverRuntime.exe	57
PID 580 wrote to memory of 952	580	cmd.exe	59
PID 580 wrote to memory of 952	580	cmd.exe	59
PID 580 wrote to memory of 952	580	cmd.exe	59
PID 580 wrote to memory of 1736	580	cmd.exe	60
PID 580 wrote to memory of 1736	580	cmd.exe	60
PID 580 wrote to memory of 1736	580	cmd.exe	60
PID 580 wrote to memory of 1340	580	cmd.exe	61
PID 580 wrote to memory of 1340	580	cmd.exe	61
PID 580 wrote to memory of 1340	580	cmd.exe	61
PID 1340 wrote to memory of 2376	1340	csrss.exe	62
PID 1340 wrote to memory of 2376	1340	csrss.exe	62
PID 1340 wrote to memory of 2376	1340	csrss.exe	62
PID 2376 wrote to memory of 2224	2376	cmd.exe	64
PID 2376 wrote to memory of 2224	2376	cmd.exe	64
PID 2376 wrote to memory of 2224	2376	cmd.exe	64
PID 2376 wrote to memory of 2952	2376	cmd.exe	65
PID 2376 wrote to memory of 2952	2376	cmd.exe	65
PID 2376 wrote to memory of 2952	2376	cmd.exe	65
PID 2376 wrote to memory of 3048	2376	cmd.exe	66
PID 2376 wrote to memory of 3048	2376	cmd.exe	66
PID 2376 wrote to memory of 3048	2376	cmd.exe	66
PID 3048 wrote to memory of 2164	3048	csrss.exe	67
PID 3048 wrote to memory of 2164	3048	csrss.exe	67
PID 3048 wrote to memory of 2164	3048	csrss.exe	67
PID 2164 wrote to memory of 1596	2164	cmd.exe	69
PID 2164 wrote to memory of 1596	2164	cmd.exe	69
PID 2164 wrote to memory of 1596	2164	cmd.exe	69
PID 2164 wrote to memory of 1592	2164	cmd.exe	70
PID 2164 wrote to memory of 1592	2164	cmd.exe	70
PID 2164 wrote to memory of 1592	2164	cmd.exe	70
PID 2164 wrote to memory of 2612	2164	cmd.exe	71
PID 2164 wrote to memory of 2612	2164	cmd.exe	71
PID 2164 wrote to memory of 2612	2164	cmd.exe	71
PID 2612 wrote to memory of 2684	2612	csrss.exe	72
PID 2612 wrote to memory of 2684	2612	csrss.exe	72
PID 2612 wrote to memory of 2684	2612	csrss.exe	72
PID 2684 wrote to memory of 2564	2684	cmd.exe	74
PID 2684 wrote to memory of 2564	2684	cmd.exe	74
PID 2684 wrote to memory of 2564	2684	cmd.exe	74
PID 2684 wrote to memory of 2640	2684	cmd.exe	75
PID 2684 wrote to memory of 2640	2684	cmd.exe	75
PID 2684 wrote to memory of 2640	2684	cmd.exe	75
PID 2684 wrote to memory of 2836	2684	cmd.exe	76
PID 2684 wrote to memory of 2836	2684	cmd.exe	76
PID 2684 wrote to memory of 2836	2684	cmd.exe	76
PID 2836 wrote to memory of 3044	2836	csrss.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
"C:\Users\Admin\AppData\Local\Temp\fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\blockPortServerdriverRuntime.sfx.exe
    blockPortServerdriverRuntime.sfx.exe -p1234
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\blockPortServerdriverRuntime.exe
      "C:\blockPortServerdriverRuntime.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rv04yd4g\rv04yd4g.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE512.tmp" "c:\Windows\System32\CSCE3063840D250461381F14D1A9D3638A.TMP"
        6⤵
        
        PID:1984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9f80lHX1qQ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:952
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1736
      - C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2952
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SUne2ttkTe.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TuuHawadIr.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2640
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat"
        13⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1660
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QZnykySc6r.bat"
        15⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1992
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gXPzuBRgcB.bat"
        17⤵
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2156
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat"
        19⤵
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2020
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat"
        21⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1856
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat"
        23⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2900
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gXPzuBRgcB.bat"
        25⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1988
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat"
        27⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1808
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat"
        29⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9phEQOv8NZ.bat"
        31⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1048
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat"
        33⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2304
        
        C:\Windows\Cursors\csrss.exe
        
        "C:\Windows\Cursors\csrss.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat"
        35⤵
        
        PID:784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\blockPortServerdriverRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntime" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 14 /tr "'C:\blockPortServerdriverRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntime" /sc ONLOGON /tr "'C:\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 10 /tr "'C:\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
62B

MD5
3caf9e84bed0774d4503d0a9832e3489

SHA1
57e750cc31918f91bf15309f182f5b84265ecfcc

SHA256
2b335dd0175798cd62d16dc74c7961835afe69f47e4c04529caba0b1dd9d1aa2

SHA512
e359ad56cad85fb27617f4393dfe6a33a454d506fe4be0024814175f3fb12b5ef7c3e9e3e2c1d6dcbec90d6f54015e9210b499e5ff8a2f537a1f46abccb42100

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f80lHX1qQ.bat

Filesize
204B

MD5
0e1be8a5af7ef8f743677f528796ac20

SHA1
6f778c523b9964c715f0412ade272f586cbce220

SHA256
7b4078fe049c5a97a912a9c15adcd24097517ca95933f0c5868dbd03e7e93b33

SHA512
1ac95d065d3a8c69f10ab7a63f0e474f04e6901d79c0964680dd768c8988489102e9cdd461d1718fbfb7d1051f86b914f8443a81986a9de5ff61bf2dd7248eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\9phEQOv8NZ.bat

Filesize
204B

MD5
5b7f4aa25935874b78302ed922b9de86

SHA1
10c03a8e15579dae8aa5b0fa1d8d7883b867fc74

SHA256
26f17f3049eaa7cf3458873cd003263e77b786411bba249d6214a48b5dbfa19f

SHA512
8aac4b7bc7c3a5485d95730fdffc67adfd9db7586af4e446e26e8d15adfbc40b731250632f53026eb9810065daa78ddebe8a15dd681cb823ace6de1f3ebb9ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat

Filesize
156B

MD5
98fe5e1b4b86a546512c98981b7634e7

SHA1
bd95ee32811da4b1c648a884ad3cdc85ac3d3e4b

SHA256
548ae48df5982e70e0aaed7a2e9d3e7f081403750d6b4abd7a62257487d41be6

SHA512
9e86c596fa33bd85bebc86fd6f2a4e9dce53077a520617f4e0d3742f696f012a5db4190667b3f19a5c9644ae87ea6ed11b270375f62e65e0c852b628616b056c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat

Filesize
204B

MD5
ce88548b64e0ecf84c030a964b41c85a

SHA1
7c8c7818e30443a80372d11e960e5665f24ed5ae

SHA256
92219ce40c255b131889c8452f1d9eff188be96f496d92447069a12e607a9b05

SHA512
c95aa5491c495cd862204fbf9d522b9e37e57f38339161cfa6f20693cbfa5cb21d958abb1e0e722e1483cd617f9a54ca8e28b875beedf0a87a80c422edf9f9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat

Filesize
204B

MD5
844256d3f4885853ad8564b4341a33c1

SHA1
3f6e6a9aa5a400d4487816722821a464962c5c0c

SHA256
7215f3346a8e5bb7e6a4cc5f49f46af6d82037029bba4b59a53b8100b2d4c3ad

SHA512
8ed77dff17776d283a7d6cf37a682f517fab472f44112661f34e217ff132936a931cb2b7f3572cd797c5246f98eb38039e72baba3e99838aa4569569e07e51e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZnykySc6r.bat

Filesize
204B

MD5
5979ae01e032378a623a854670fd5505

SHA1
380688ec5e90ef8a0f96dd5243ec2473ed95442b

SHA256
7c991a55feabe0de926dda70dd155493bb4330b88cb629832b4318837046b6fb

SHA512
2322611f80d9b0f926bb8bee9d848bbbd835bddfb0106daefa31f44cb16ac2a4e0898feffb85c3de8d4a79c415ea501f26bf51665e7707d79a19c947426f686a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE512.tmp

Filesize
1KB

MD5
3e4aa316e809232f57a5d6c8f6cbad22

SHA1
3f36cab2f7697c2dd13d519f09ae5af4332386ce

SHA256
63821b01c3c73f4a00d6958de77e407c550818327fb8220b57647fe441114501

SHA512
1e2c7ea5d111f8bbb21606a863c4bf8b8da3903e281316921749d4d72b98c0eb6c9fa783c0693a92ebbe7f6d568dce96a193e104952061d3087f02c94d858bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUne2ttkTe.bat

Filesize
156B

MD5
92ec2a2a087bdff4af7ad38762516275

SHA1
1d399145f7738a4307c83d896bb508909b21844c

SHA256
ebf59693a88a9e561c572af4f1047ad1e4fad6b247de720bbedfeace0b444b1a

SHA512
0ca3c8b91daa35d6f9f0c127f069cc64ccc076f1ce8455411566b5098d7b1be382938c6d45f6d50d67d14ec1038480b415df494ec6318abec97774e726c44abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuuHawadIr.bat

Filesize
204B

MD5
0bdae4ab09e010b702489cebdbd7617e

SHA1
1ba81b9f21a3047fc1d9f2729fa8c7875e3745d7

SHA256
c16b7e07287698b26061ff2936476d6819712e5bd825b809a0bf59ac58b81838

SHA512
b5de1a645a6611a878f341d680b3fc902b750aa0aeaa545f1ec5202980a4639849e7d8c5806d324eaaee8678f6a65bf7c63a6607576e9bd90d3b9a280d973569

Download Submit
C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat

Filesize
156B

MD5
5e161c8022b3c1f0f123e3c16457a187

SHA1
a4156c0a0f8baa0f57b3199c842b87890c5ee2f8

SHA256
c1fba5b8496283c90e8612a39c833482ffbc26180750cdf066a60a41412a3c89

SHA512
e3668b64ec2c9c06874f2c26b16118df70cc51b2565a1fa96007038ed69df85d35b50ea0513c5d685144d99aa232a2224bf48b2f18843bedd26294e9f595516c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat

Filesize
204B

MD5
8051f457da4ff41e38f5d5e3dcdf43d7

SHA1
096085c0bc90e654b5713fd15701ce4f5a228155

SHA256
95e17e5d4504158fd472c61894cdd1dfaae6f486000e9fd361da893ee276f317

SHA512
8f533eacfa4856cdc48290ee79ecb8ad26f9ac7d42b0f12f3f5fc98609e1dee44bcb51ea6512557581bbab09121b830297d2b10426fed5cedd91730b353fa95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gXPzuBRgcB.bat

Filesize
204B

MD5
61929cd525414dfda68e1b8bdc99b4f6

SHA1
a019d37ba3d209b15aceedc6bff7f280557dd892

SHA256
af0f87f93c740f93a705c7c035dcd024619b6b1d78181dfa7085dc81681bdbbe

SHA512
9f8cdd76e220d947ff7d63573021d8e7acc022c658e5c3d92714c0f0ce88a3900823492e9a1c4a6cc7ef473c69683d4dadaec8c2660d77d318b406740be96a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat

Filesize
204B

MD5
1d4cc41eb5eff32fcb72790c7419479b

SHA1
7ce9c6a6fe17601598139fe8bcebe91edee44e1d

SHA256
4b926471398ce65846d3ed1babf9e15fd6849472fa030da7de042da96417598d

SHA512
be08967ae2333cabcf2a712c6f26d32c29e1173b5d2f781438d44c3813f3a5d558681c03e031b69ad762606e6a02f8161d3c88de61319288d59bf0d1544ef423

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat

Filesize
204B

MD5
9e7c0add43aa2bca350eacc925a298d4

SHA1
ec154c647b346f9ae77071a327cd6dc95d7c645b

SHA256
808e885225bc67629c47802d1373108b59fe90f7a1f385650627aab21f6d1fd9

SHA512
5de14529f30e91aebfb6abc04c47229c0be00dc6e9299d9d4e46dcf9a80c23bbdb9746fd6d0d8b5b06e44e6fc1b0829e728f1b5758b2bd757d1a8fe77a9de87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat

Filesize
156B

MD5
f31f3995eeae3430985ae0d022b9bbd3

SHA1
1d7b8eeb3a6ea010d54e4b58c1c9545b7d393779

SHA256
c3a5d8af345768f33b65adb8e8ac8be387ab55a439fd42f055de36df82df1409

SHA512
a65520f131696526442e2d203119a150ff4018a083b0ce4b6edf383aa5450cd9207d8e31a4ae35847c4d7915ad9ae8e570ad24fbafefcaaede7615869e770657

Download Submit
C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat

Filesize
204B

MD5
180e8e476b7dc4dddc0e175bf2ade6e7

SHA1
6deaf1e9676b6ae8dfbf4d7bc95d1990634ffafd

SHA256
854e4c3933119f4399ed4d0f5eb29239e710f0f28b6d795bd05cc752ecf1aaf4

SHA512
6488c9892c52b338f84b372ca05ee899e0607da499654d39a1151b375c0d55953c4a78586ae7052f7de2c425e895b2d0d21f7f1d8a8702cc6ef9af7d26f16c6b

Download Submit
C:\blockPortServerdriverRuntime.exe

Filesize
1.8MB

MD5
cd66d0673239c0998cf9f49c73f15cd3

SHA1
67054ee170e7a637dddc1604081815fb3e9d04e3

SHA256
eb7028f8db4bf6e44ef8e3d2250304c604cbd350d93529d2bfe24ddf773383de

SHA512
328e36bd61e8a00f10ea22af5e86921278217c23546f7502e5ed02881d8c1155372578d83141e8da3e564c3fce7bf212493b15e74585d97d67644dc6f4184274

Download Submit
C:\blockPortServerdriverRuntime.sfx.exe

Filesize
1.8MB

MD5
b5a4e3bf294fd3e5b4d82af34eeca853

SHA1
ba027c0af5d3c7c5e38b25ee037cd157037096bc

SHA256
3b20edc0a80f388a8178aa1b540b335e66810f8be9deb5fc9876ecbd848f7ff6

SHA512
00aa0a2befd1cfbf2b72941d34bd1042a3b5e27016f3775276cd46778c94b64a5a0ca03283a52f60d00fa11ef4d787a5d72b0fd2971a5bdec9203e43e3a85952

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv04yd4g\rv04yd4g.0.cs

Filesize
385B

MD5
8b04c245d898599831d9ad8dc7a01342

SHA1
7277743ad6443ea1ab22609f5983f9acc797fad6

SHA256
19822b4f0dc4276bf0f3d080a35835050c059884504943e97606af6f8d3aba77

SHA512
5ad7c6638c4fe0089e54d5609a5a737acbc642ffcaf168576ad28a06d61cbe806f0688052d0c1a5d3fafbf9f167765fb642dcbea491031bb603efd043ba46e66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv04yd4g\rv04yd4g.cmdline

Filesize
235B

MD5
3227489ff508a474e2ba1f3f80719332

SHA1
0958acb99738ac0926265240b49237b843d4ca44

SHA256
f502cc0a6c7a58d615c86602a1affeaa722e6d04e337ed89757d15e717b09700

SHA512
a359e81fb5c90e0311a0b56e5bbe7d60f5864b142958a4ccc51c5527863ee236dbf6862fc280c0b1ecdbc21ea7216161491fe7fbad1a26bb8eacbe06eafb1c3e

Download Submit
\??\c:\Windows\System32\CSCE3063840D250461381F14D1A9D3638A.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
memory/1284-154-0x0000000001340000-0x000000000151A000-memory.dmp

Filesize
1.9MB

Download
memory/1340-77-0x00000000001F0000-0x00000000003CA000-memory.dmp

Filesize
1.9MB

Download
memory/1768-209-0x0000000001160000-0x000000000133A000-memory.dmp

Filesize
1.9MB

Download
memory/2220-45-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2220-34-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2220-35-0x0000000000870000-0x0000000000A4A000-memory.dmp

Filesize
1.9MB

Download
memory/2220-73-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-43-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/2220-41-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2220-39-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2220-36-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-37-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-186-0x0000000000100000-0x00000000002DA000-memory.dmp

Filesize
1.9MB

Download
memory/2540-143-0x00000000001E0000-0x00000000003BA000-memory.dmp

Filesize
1.9MB

Download
memory/2612-100-0x0000000000DC0000-0x0000000000F9A000-memory.dmp

Filesize
1.9MB

Download
memory/2700-198-0x0000000000C70000-0x0000000000E4A000-memory.dmp

Filesize
1.9MB

Download
memory/2784-122-0x0000000001050000-0x000000000122A000-memory.dmp

Filesize
1.9MB

Download
memory/2836-111-0x0000000000280000-0x000000000045A000-memory.dmp

Filesize
1.9MB

Download
memory/3048-88-0x00000000009D0000-0x0000000000BAA000-memory.dmp

Filesize
1.9MB

Download