dcrat | bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatality.exe
Size

3.3MB
MD5

c883ea559bee9a0cb393aa32dcaf5d80
SHA1

995dfd0d9d504bec628e7d7297962677d8ab32cb
SHA256

bfd1aabb65dfce7b7c5f2d444917baa23fd04d6047e62cd1aaf9cb2a9ca9d3a9
SHA512

9ee8ef8a9912b14bcbeb3c13b2670c92eecc17c4a8a719d6bd9935f17239a244457e2f711c01e374febd767c866d6c563bad97e687680919ca0c017d738626ee
SSDEEP

98304:db5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8N7:hMyqKM1TogtqT44NN7

Score

10^/10

dcrat discovery evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\", \"C:\\blockcomSession\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\", \"C:\\blockcomSession\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\SPPlugins\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\", \"C:\\blockcomSession\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\SPPlugins\\explorer.exe\", \"C:\\blockcomSession\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\", \"C:\\blockcomSession\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\SPPlugins\\explorer.exe\", \"C:\\blockcomSession\\conhost.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\", \"C:\\blockcomSession\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\SPPlugins\\explorer.exe\", \"C:\\blockcomSession\\conhost.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1992	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1992	schtasks.exe	45

Executes dropped EXE 18 IoCs

pid	Process
1500	fatality.exe
2836	icsys.icn.exe
2084	explorer.exe
2892	spoolsv.exe
2756	svchost.exe
1316	spoolsv.exe
1444	containerReview.exe
2744	explorer.exe
1368	explorer.exe
2136	explorer.exe
2296	explorer.exe
3044	explorer.exe
276	explorer.exe
3008	explorer.exe
1764	explorer.exe
824	explorer.exe
2896	explorer.exe
764	explorer.exe

Loads dropped DLL 8 IoCs

pid	Process
2304	fatality.exe
2304	fatality.exe
2836	icsys.icn.exe
2084	explorer.exe
2892	spoolsv.exe
2756	svchost.exe
2844	cmd.exe
2844	cmd.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\SPPlugins\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Prefetch\\ReadyBoot\\audiodg.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\blockcomSession\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\SPPlugins\\explorer.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\blockcomSession\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\blockcomSession\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\blockcomSession\\conhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File created	\??\c:\Windows\System32\CSC65512A82F99946AF9321D2E69B8DCCC.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1500	fatality.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe	containerReview.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\7a0fd90576e088	containerReview.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\42af1c969fbb7b	containerReview.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	fatality.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Prefetch\ReadyBoot\audiodg.exe	containerReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2072	PING.EXE
1824	PING.EXE
2244	PING.EXE
2360	PING.EXE
896	PING.EXE
2944	PING.EXE
1112	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1824	PING.EXE
2244	PING.EXE
2360	PING.EXE
896	PING.EXE
2944	PING.EXE
1112	PING.EXE
2072	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1680	schtasks.exe
1808	schtasks.exe
1684	schtasks.exe
2408	schtasks.exe
2056	schtasks.exe
3056	schtasks.exe
2088	schtasks.exe
1020	schtasks.exe
1508	schtasks.exe
904	schtasks.exe
1296	schtasks.exe
1956	schtasks.exe
2476	schtasks.exe
2344	schtasks.exe
2200	schtasks.exe
1052	schtasks.exe
1592	schtasks.exe
1940	schtasks.exe
856	schtasks.exe
448	schtasks.exe
2168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
2304	fatality.exe
1500	fatality.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2756	svchost.exe
2084	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	containerReview.exe
Token: SeDebugPrivilege	2744	explorer.exe
Token: SeDebugPrivilege	1368	explorer.exe
Token: SeDebugPrivilege	2136	explorer.exe
Token: SeDebugPrivilege	2296	explorer.exe
Token: SeDebugPrivilege	3044	explorer.exe
Token: SeDebugPrivilege	276	explorer.exe
Token: SeDebugPrivilege	3008	explorer.exe
Token: SeDebugPrivilege	1764	explorer.exe
Token: SeDebugPrivilege	824	explorer.exe
Token: SeDebugPrivilege	2896	explorer.exe
Token: SeDebugPrivilege	764	explorer.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2304	fatality.exe
2304	fatality.exe
1500	fatality.exe
2836	icsys.icn.exe
2836	icsys.icn.exe
2084	explorer.exe
2084	explorer.exe
2892	spoolsv.exe
2892	spoolsv.exe
2756	svchost.exe
2756	svchost.exe
1316	spoolsv.exe
1316	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1500	2304	fatality.exe	31
PID 2304 wrote to memory of 1500	2304	fatality.exe	31
PID 2304 wrote to memory of 1500	2304	fatality.exe	31
PID 2304 wrote to memory of 1500	2304	fatality.exe	31
PID 2304 wrote to memory of 2836	2304	fatality.exe	32
PID 2304 wrote to memory of 2836	2304	fatality.exe	32
PID 2304 wrote to memory of 2836	2304	fatality.exe	32
PID 2304 wrote to memory of 2836	2304	fatality.exe	32
PID 2836 wrote to memory of 2084	2836	icsys.icn.exe	33
PID 2836 wrote to memory of 2084	2836	icsys.icn.exe	33
PID 2836 wrote to memory of 2084	2836	icsys.icn.exe	33
PID 2836 wrote to memory of 2084	2836	icsys.icn.exe	33
PID 2084 wrote to memory of 2892	2084	explorer.exe	34
PID 2084 wrote to memory of 2892	2084	explorer.exe	34
PID 2084 wrote to memory of 2892	2084	explorer.exe	34
PID 2084 wrote to memory of 2892	2084	explorer.exe	34
PID 1500 wrote to memory of 2572	1500	fatality.exe	35
PID 1500 wrote to memory of 2572	1500	fatality.exe	35
PID 1500 wrote to memory of 2572	1500	fatality.exe	35
PID 1500 wrote to memory of 2572	1500	fatality.exe	35
PID 2892 wrote to memory of 2756	2892	spoolsv.exe	36
PID 2892 wrote to memory of 2756	2892	spoolsv.exe	36
PID 2892 wrote to memory of 2756	2892	spoolsv.exe	36
PID 2892 wrote to memory of 2756	2892	spoolsv.exe	36
PID 2756 wrote to memory of 1316	2756	svchost.exe	37
PID 2756 wrote to memory of 1316	2756	svchost.exe	37
PID 2756 wrote to memory of 1316	2756	svchost.exe	37
PID 2756 wrote to memory of 1316	2756	svchost.exe	37
PID 2084 wrote to memory of 576	2084	explorer.exe	38
PID 2084 wrote to memory of 576	2084	explorer.exe	38
PID 2084 wrote to memory of 576	2084	explorer.exe	38
PID 2084 wrote to memory of 576	2084	explorer.exe	38
PID 2756 wrote to memory of 2088	2756	svchost.exe	39
PID 2756 wrote to memory of 2088	2756	svchost.exe	39
PID 2756 wrote to memory of 2088	2756	svchost.exe	39
PID 2756 wrote to memory of 2088	2756	svchost.exe	39
PID 2572 wrote to memory of 2844	2572	WScript.exe	42
PID 2572 wrote to memory of 2844	2572	WScript.exe	42
PID 2572 wrote to memory of 2844	2572	WScript.exe	42
PID 2572 wrote to memory of 2844	2572	WScript.exe	42
PID 2844 wrote to memory of 1444	2844	cmd.exe	44
PID 2844 wrote to memory of 1444	2844	cmd.exe	44
PID 2844 wrote to memory of 1444	2844	cmd.exe	44
PID 2844 wrote to memory of 1444	2844	cmd.exe	44
PID 1444 wrote to memory of 2728	1444	containerReview.exe	49
PID 1444 wrote to memory of 2728	1444	containerReview.exe	49
PID 1444 wrote to memory of 2728	1444	containerReview.exe	49
PID 2728 wrote to memory of 1324	2728	csc.exe	51
PID 2728 wrote to memory of 1324	2728	csc.exe	51
PID 2728 wrote to memory of 1324	2728	csc.exe	51
PID 1444 wrote to memory of 1772	1444	containerReview.exe	67
PID 1444 wrote to memory of 1772	1444	containerReview.exe	67
PID 1444 wrote to memory of 1772	1444	containerReview.exe	67
PID 1772 wrote to memory of 2216	1772	cmd.exe	69
PID 1772 wrote to memory of 2216	1772	cmd.exe	69
PID 1772 wrote to memory of 2216	1772	cmd.exe	69
PID 1772 wrote to memory of 2072	1772	cmd.exe	70
PID 1772 wrote to memory of 2072	1772	cmd.exe	70
PID 1772 wrote to memory of 2072	1772	cmd.exe	70
PID 1772 wrote to memory of 2744	1772	cmd.exe	71
PID 1772 wrote to memory of 2744	1772	cmd.exe	71
PID 1772 wrote to memory of 2744	1772	cmd.exe	71
PID 2744 wrote to memory of 2536	2744	explorer.exe	72
PID 2744 wrote to memory of 2536	2744	explorer.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fatality.exe
"C:\Users\Admin\AppData\Local\Temp\fatality.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- \??\c:\users\admin\appdata\local\temp\fatality.exe
  c:\users\admin\appdata\local\temp\fatality.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\blockcomSession\containerReview.exe
        
        "C:\blockcomSession/containerReview.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qif3xwyw\qif3xwyw.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D.tmp" "c:\Windows\System32\CSC65512A82F99946AF9321D2E69B8DCCC.TMP"
        7⤵
        
        PID:1324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x298vIygae.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ZQNubuJrx.bat"
        8⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat"
        10⤵
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RAcs8leQAB.bat"
        12⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7nxekELsf0.bat"
        14⤵
        
        PID:1012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7yfvayqnt7.bat"
        16⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gmfrQySV9n.bat"
        18⤵
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat"
        20⤵
        
        PID:1048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
        22⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Y35xjzddj.bat"
        24⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1128
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SrnQwv5hL3.bat"
        26⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2892
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1316
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:18 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:19 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:20 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\blockcomSession\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\blockcomSession\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\blockcomSession\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\blockcomSession\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\blockcomSession\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\blockcomSession\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 7 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 7 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7nxekELsf0.bat

Filesize
197B

MD5
75773b3179122a367e230dc2ac031627

SHA1
cf0829d2727198193981ccec5413516f903560c4

SHA256
ed0c68c476e23990323f2db9efb1b5526a10f34e36511bbbd72fa3d004e6a3a1

SHA512
3e6b4bb07490ec85c6c32202c38f9cb17ffcdcab4928c6e35a00270ca89ebe267df2ca745c7acf59d2a432aeee23f9e531fe0b48df20a5a208c72567fc0c963d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7yfvayqnt7.bat

Filesize
245B

MD5
8b6a6f6b76dc09b1704c58dbf5d17f1a

SHA1
adfa1d6ef1d47f006d65ec7ef714e2c1623a6a20

SHA256
6ced09be2cdb4dd281d2ef6c44fbaac2d788b55840675c7ed4f6108077b43ed9

SHA512
d182a6906bcc0b93774cc3285f1170bbefca044fd38a172d70937b49c0e1111f5ce75eed0131711ebd5178a1abc417dcb221d58f609dd2473ecd3231455039de

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Y35xjzddj.bat

Filesize
245B

MD5
fc8382e78905207f2a0348c8a276114d

SHA1
e7341251fc5043d9f72f63dfa0b6ae0e88b8963a

SHA256
95bb6df022567cdc5cf4f960abc6a901032a2a4a842a71de2cdc1046ea2b241b

SHA512
2b601a0f7ff8439eede0303dc4738da1cc091f155d593befff5ea50261035c240e9d05a5539cea89dac0f66da4beb02b74887fbf135d8c5dc0e2f481b0774bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ZQNubuJrx.bat

Filesize
245B

MD5
f4f817457d071ccce2f853460d31a21f

SHA1
5b86f0f008a67686fa8e7791e0847cb0b8049d07

SHA256
f327bb3e73b7aef3ca409b5b748d123519f6eee66defca4a6aba27c6a5b94c20

SHA512
8811578d47620fa5c8f225d5f9c5218526a23c9e157c02fb5dc2ee3ee92e2d520a0806d91a97230f5910fc3594816877de57b2e15a12be22f8790399b77c3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAcs8leQAB.bat

Filesize
197B

MD5
eebb4a4cc4a43da75fa19fdf7ede6352

SHA1
b1a6be008c913e139f13787def37871c8fa866b6

SHA256
d1bb5e215b0ce3eaa35ea0c61347c733edf4dd96807f89867212a5534ba22e00

SHA512
215a94609c3ef3b1aec596a9eabdaee2f838723a30e234484170192879157a967e712adb5e1c03223882ac57a9afdc8aa3d22e3badb9c835450b9082c45bf0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5D.tmp

Filesize
1KB

MD5
0f86eb63cc7a13f400f2af6b93a82ff7

SHA1
22226650100f5d1e2ae8c370f72d0de5be3a68c6

SHA256
8c701e61edf9a35ecdcfa4c47dad3acd776b8a1e42b3b913f9080ff80127d416

SHA512
9109185f95c3f4815e6e82e4ada998d47eb71376738d2912a2b141db18d76bfa6200f21596b0ddf6e338bd155b04c9f15466210bf0da3afda9055c73c37f4bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat

Filesize
197B

MD5
af4b892650292f7b60fb9c796e7a6239

SHA1
25f0a328ebe07546beb74909a319eb731529aaf4

SHA256
ee5a79097cf4f29cf2527bf1abb012aa0541bbb0ace167a196056c9c9fa46958

SHA512
63e776baf7811e74ecbc74f4e715fed307fb730638f6353f0db5d66546b4d4b10c3daf051041ece35f352eecb607078c30790c277d8f75338ee132a7374a3017

Download Submit
C:\Users\Admin\AppData\Local\Temp\SrnQwv5hL3.bat

Filesize
197B

MD5
de18b1a6bf1d76f26e9e6e1f1c13b837

SHA1
281e669863512d0d1febc97d4783ccd05f2c20c6

SHA256
ddd86dc0aee3d55fa42ec149bf5baa60a502d3ad59f2f55f5e3201a9f5848dc3

SHA512
65d0fc3b928ff294470a11d116ca66bfbd2d9f0b0697c890de2b3e2a5f000f54245ac9ab335e2e4ddbd07c947498b43c05100cad786d65361436023b88b0d654

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat

Filesize
197B

MD5
ba594557e938738366d61b65683bc1cd

SHA1
d3fa1f91af116fc92a63879cf035d7a1242746b2

SHA256
28fa3f7866e939349e16fea7ce16d73ec7a6199ce4e49b0622529432a93010ab

SHA512
eba8d62b8e908dc5f3344ef7592b5896c3d1c391270bf827252e0afb12d12a57200318389bb4b249f3c82a958192a37ac9f79df259a573525a1e5ec04c433d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmfrQySV9n.bat

Filesize
245B

MD5
4262ed2147aa1ad30c6a2aa94b160a53

SHA1
3c0296dfaaf89e045738edfc5ab84cb8aade1d8b

SHA256
cccf70dd8226e3740b275a797ad91b906f79d255954e1528750a32d8ee1776ac

SHA512
cf87fe007fd41baa212f38131048be6e5035637b53b65181a920e1106410da8ee1737b6524968b77f9e5c265a4902d5dbff3b02deb9c1fc53645bf3f3a7ba98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat

Filesize
197B

MD5
c253f6f8cfff7db054933e132c6371bd

SHA1
cb940f790356452921348b3aa98f64b3c7638657

SHA256
2e1fed874e0fb9c98258d2d300e51a208eecc4ec75473076a15942f1693c1a7d

SHA512
511cb044f9066b6029872f13340a5850678904055d2d63ce3cbfa4cbcca71bdf6fe17a013c579ad0005daddfa2a8769e4eb9d7618e405cfa7d5ff6e0caa1e93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x298vIygae.bat

Filesize
197B

MD5
34a1a5ed7586f2f58a581b1e63f2ed12

SHA1
828bcaff84c17eee4cdd17b66836766a9d9add79

SHA256
b89e5bed227f4eb99101ea4f420c7e9f0830bddd6b67bb1b3bb5958e03e62830

SHA512
dd69f98aefe379d6e591170f1656c61f6c67dac43ae580ed51b484e7ffe61a3df6c13714c18e30979476ab6c36163312c30e760c0c04e0344bdfb2a7127b2561

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
51f01b3ac1edf7a2853b0c31b47183dd

SHA1
f5e413fcae20083b00c1d6c2ec4199f427c371a9

SHA256
55cadb08330580b94005780cbf8aa4b49aa1d0265a33ddf1fdbb665325ea3bbf

SHA512
3f6f31af62fdfeaef465237496b4a0ee58d17fa4fb2d54df3c3a619f49fb8302588cd36035273b7595b804a6162e797b135b51a4ca66be0e0b81d27944728f08

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d36cc2935ae0e7a5d2936db589a9b8cc

SHA1
082bd58c0ad60fa4783b63a4f681a5c5fad8e1a6

SHA256
4c93adb50768feb3cdea95f1fedc5d6fdc262d59f12c4b66601d377e2709c2e3

SHA512
547452ba0de7c8ebeec8e4bb2d916c7a881b6743e6d1fb6d2761a202b7cf5bb30c3f541957de70c584b46b7171f3f20338b4985341829b408c366aeaeced9290

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
cbe390dfaba4dc026d49b20a44a63ae5

SHA1
dee703297d559d6874721b951bc20dc39650e18c

SHA256
226193cf587de3cae8c74cb432dc77ccd352e712d5de4630b8a71eb0733691d2

SHA512
f7a654cbec394a2767edc9c1ed7789c9021e99c3ba4beb54f43d77f376aadf610a4495fe7c58775510a027d0e76e0d937374be00c7dbb47f118338ef45a813af

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qif3xwyw\qif3xwyw.0.cs

Filesize
373B

MD5
952e3446ce364e5cdb19ecccdd0fdbb4

SHA1
edf6beb5d4db5f2ad86f863dfbdbbfe5787da60d

SHA256
86b27d8b273bf3ec008bb3dfd4507eeb5c8be7d0ea52ebc7ff4c10cc4f3dbd7e

SHA512
749b92b5b643d1f74d605d3a551e0b99ae5ae7915fc8e4e121f24adb6ebe6c5389419298f71198508642d6c67dd5701f9aed59d98e3cdc3fc555c4d1b7c0d1d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qif3xwyw\qif3xwyw.cmdline

Filesize
235B

MD5
877e7f12da197b08fa7149190018ccc4

SHA1
abddba87e08cdd92ee1cb341034ad43d6a673f5d

SHA256
bce97b1ef0ea37583d474fdc95178b41a755cce69c3e9ebcbe0b98eebcda04e0

SHA512
1d86c13d3d76a7d3249c8142a0fd0a197e5cecca765853fdb828832db98549af881af7eb1d15663995fb2127719f700063693ef09d71b183252b16664d8a3d55

Download Submit
\??\c:\Windows\System32\CSC65512A82F99946AF9321D2E69B8DCCC.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
3.2MB

MD5
a7040b85fc683f088f4c6e5b44052c43

SHA1
7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66

SHA256
b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

SHA512
e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
71a8613e2fce2ecc3cfb981596c458e0

SHA1
c28d5aebff2e955e9a433c93f02c242cff71c08d

SHA256
dfe9c95f50fe8342f311538a85588afe5d123326d84144f11ec44cf49419a41c

SHA512
9ed5c1a3c5cee3437b2025f1946e6e6ad94f8b3ae763f9195d0ccbc081ad6365903a60bbcd232195166e08b40aa10cf33007852ab3f7a9998f911c14d1915a09

Download Submit
\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
memory/276-188-0x0000000000ED0000-0x00000000010C0000-memory.dmp

Filesize
1.9MB

Download
memory/764-252-0x00000000012A0000-0x0000000001490000-memory.dmp

Filesize
1.9MB

Download
memory/1316-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-65-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1444-89-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/1444-79-0x0000000000AF0000-0x0000000000CE0000-memory.dmp

Filesize
1.9MB

Download
memory/1444-87-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1444-85-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/1444-91-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/1444-83-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/1444-81-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1500-12-0x0000000001320000-0x0000000001701000-memory.dmp

Filesize
3.9MB

Download
memory/1500-68-0x0000000001320000-0x0000000001701000-memory.dmp

Filesize
3.9MB

Download
memory/1764-213-0x00000000012D0000-0x00000000014C0000-memory.dmp

Filesize
1.9MB

Download
memory/2084-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2136-147-0x00000000000F0000-0x00000000002E0000-memory.dmp

Filesize
1.9MB

Download
memory/2296-160-0x0000000000CA0000-0x0000000000E90000-memory.dmp

Filesize
1.9MB

Download
memory/2304-9-0x0000000002D60000-0x0000000003141000-memory.dmp

Filesize
3.9MB

Download
memory/2304-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2304-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2304-15-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2744-122-0x0000000001030000-0x0000000001220000-memory.dmp

Filesize
1.9MB

Download
memory/2756-63-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2756-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2836-28-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2836-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2892-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2892-56-0x00000000005C0000-0x00000000005DF000-memory.dmp

Filesize
124KB

Download
memory/2896-239-0x0000000000150000-0x0000000000340000-memory.dmp

Filesize
1.9MB

Download