dcrat | d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c

Analysis

max time kernel
1800s
max time network
1799s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
26/06/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Njrat.exe
Size

3.1MB
MD5

7bbb27a3b9ace5f7d403ba8d6ef58d28
SHA1

5effbe830a93770824ee60f65eac790dda1ee807
SHA256

d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
SHA512

32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
SSDEEP

49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2404	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2404	schtasks.exe	32

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0021000000013400-9.dat	dcrat
behavioral1/memory/2720-13-0x0000000001390000-0x0000000001672000-memory.dmp	dcrat
behavioral1/memory/2096-119-0x0000000000900000-0x0000000000BE2000-memory.dmp	dcrat
behavioral1/memory/2640-160-0x0000000000DB0000-0x0000000001092000-memory.dmp	dcrat
behavioral1/memory/1096-161-0x0000000000310000-0x00000000005F2000-memory.dmp	dcrat
behavioral1/memory/1060-164-0x0000000000010000-0x00000000002F2000-memory.dmp	dcrat
behavioral1/memory/1752-168-0x0000000000FD0000-0x00000000012B2000-memory.dmp	dcrat
behavioral1/memory/872-171-0x0000000000950000-0x0000000000C32000-memory.dmp	dcrat
behavioral1/memory/672-172-0x00000000013C0000-0x00000000016A2000-memory.dmp	dcrat
behavioral1/memory/2152-175-0x00000000012E0000-0x00000000015C2000-memory.dmp	dcrat
behavioral1/memory/2148-177-0x0000000000F50000-0x0000000001232000-memory.dmp	dcrat
behavioral1/memory/784-180-0x0000000000D30000-0x0000000001012000-memory.dmp	dcrat
behavioral1/memory/2860-183-0x0000000000120000-0x0000000000402000-memory.dmp	dcrat
behavioral1/memory/2280-186-0x00000000011B0000-0x0000000001492000-memory.dmp	dcrat
behavioral1/memory/552-189-0x0000000000210000-0x00000000004F2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1096	powershell.exe
1116	powershell.exe
1640	powershell.exe
536	powershell.exe
1504	powershell.exe
2408	powershell.exe
816	powershell.exe
576	powershell.exe
584	powershell.exe
2972	powershell.exe
688	powershell.exe
1012	powershell.exe
400	powershell.exe

Executes dropped EXE 20 IoCs

pid	Process
2720	Hyperblockport.exe
2096	System.exe
1096	wininit.exe
2640	csrss.exe
1060	dwm.exe
1240	System.exe
1752	smss.exe
672	csrss.exe
872	wininit.exe
2152	lsass.exe
2148	dwm.exe
1632	System.exe
784	wininit.exe
2540	csrss.exe
2860	smss.exe
624	csrss.exe
2280	wininit.exe
552	lsass.exe
1320	dwm.exe
2524	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\6cb0b6c459d5d3	Hyperblockport.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	Hyperblockport.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe	Hyperblockport.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\smss.exe	Hyperblockport.exe
File opened for modification	C:\Windows\L2Schemas\smss.exe	Hyperblockport.exe
File created	C:\Windows\L2Schemas\69ddcba757bf72	Hyperblockport.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1416	schtasks.exe
2664	schtasks.exe
2060	schtasks.exe
1552	schtasks.exe
1776	schtasks.exe
1652	schtasks.exe
2316	schtasks.exe
2360	schtasks.exe
1804	schtasks.exe
2816	schtasks.exe
1964	schtasks.exe
1936	schtasks.exe
1616	schtasks.exe
2092	schtasks.exe
1080	schtasks.exe
2828	schtasks.exe
1736	schtasks.exe
2812	schtasks.exe
3036	schtasks.exe
1856	schtasks.exe
1984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	Hyperblockport.exe
2720	Hyperblockport.exe
2720	Hyperblockport.exe
2720	Hyperblockport.exe
2720	Hyperblockport.exe
2720	Hyperblockport.exe
2720	Hyperblockport.exe
2972	powershell.exe
536	powershell.exe
576	powershell.exe
1640	powershell.exe
1116	powershell.exe
1096	powershell.exe
2408	powershell.exe
400	powershell.exe
688	powershell.exe
1012	powershell.exe
584	powershell.exe
1504	powershell.exe
816	powershell.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe
2096	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	System.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	Hyperblockport.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2096	System.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe
Token: SeDebugPrivilege	2640	csrss.exe
Token: SeDebugPrivilege	1096	wininit.exe
Token: SeDebugPrivilege	1060	dwm.exe
Token: SeDebugPrivilege	1240	System.exe
Token: SeDebugPrivilege	1752	smss.exe
Token: SeDebugPrivilege	872	wininit.exe
Token: SeDebugPrivilege	672	csrss.exe
Token: SeDebugPrivilege	2152	lsass.exe
Token: SeDebugPrivilege	2148	dwm.exe
Token: SeDebugPrivilege	2540	csrss.exe
Token: SeDebugPrivilege	784	wininit.exe
Token: SeDebugPrivilege	1632	System.exe
Token: SeDebugPrivilege	2860	smss.exe
Token: SeDebugPrivilege	624	csrss.exe
Token: SeDebugPrivilege	2280	wininit.exe
Token: SeDebugPrivilege	1320	dwm.exe
Token: SeDebugPrivilege	552	lsass.exe
Token: SeDebugPrivilege	2524	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2096	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2424	2500	Njrat.exe	28
PID 2500 wrote to memory of 2424	2500	Njrat.exe	28
PID 2500 wrote to memory of 2424	2500	Njrat.exe	28
PID 2500 wrote to memory of 2424	2500	Njrat.exe	28
PID 2424 wrote to memory of 2844	2424	WScript.exe	29
PID 2424 wrote to memory of 2844	2424	WScript.exe	29
PID 2424 wrote to memory of 2844	2424	WScript.exe	29
PID 2424 wrote to memory of 2844	2424	WScript.exe	29
PID 2844 wrote to memory of 2720	2844	cmd.exe	31
PID 2844 wrote to memory of 2720	2844	cmd.exe	31
PID 2844 wrote to memory of 2720	2844	cmd.exe	31
PID 2844 wrote to memory of 2720	2844	cmd.exe	31
PID 2720 wrote to memory of 2972	2720	Hyperblockport.exe	54
PID 2720 wrote to memory of 2972	2720	Hyperblockport.exe	54
PID 2720 wrote to memory of 2972	2720	Hyperblockport.exe	54
PID 2720 wrote to memory of 2408	2720	Hyperblockport.exe	55
PID 2720 wrote to memory of 2408	2720	Hyperblockport.exe	55
PID 2720 wrote to memory of 2408	2720	Hyperblockport.exe	55
PID 2720 wrote to memory of 536	2720	Hyperblockport.exe	56
PID 2720 wrote to memory of 536	2720	Hyperblockport.exe	56
PID 2720 wrote to memory of 536	2720	Hyperblockport.exe	56
PID 2720 wrote to memory of 688	2720	Hyperblockport.exe	58
PID 2720 wrote to memory of 688	2720	Hyperblockport.exe	58
PID 2720 wrote to memory of 688	2720	Hyperblockport.exe	58
PID 2720 wrote to memory of 400	2720	Hyperblockport.exe	60
PID 2720 wrote to memory of 400	2720	Hyperblockport.exe	60
PID 2720 wrote to memory of 400	2720	Hyperblockport.exe	60
PID 2720 wrote to memory of 816	2720	Hyperblockport.exe	61
PID 2720 wrote to memory of 816	2720	Hyperblockport.exe	61
PID 2720 wrote to memory of 816	2720	Hyperblockport.exe	61
PID 2720 wrote to memory of 1012	2720	Hyperblockport.exe	63
PID 2720 wrote to memory of 1012	2720	Hyperblockport.exe	63
PID 2720 wrote to memory of 1012	2720	Hyperblockport.exe	63
PID 2720 wrote to memory of 1504	2720	Hyperblockport.exe	65
PID 2720 wrote to memory of 1504	2720	Hyperblockport.exe	65
PID 2720 wrote to memory of 1504	2720	Hyperblockport.exe	65
PID 2720 wrote to memory of 1640	2720	Hyperblockport.exe	66
PID 2720 wrote to memory of 1640	2720	Hyperblockport.exe	66
PID 2720 wrote to memory of 1640	2720	Hyperblockport.exe	66
PID 2720 wrote to memory of 1116	2720	Hyperblockport.exe	67
PID 2720 wrote to memory of 1116	2720	Hyperblockport.exe	67
PID 2720 wrote to memory of 1116	2720	Hyperblockport.exe	67
PID 2720 wrote to memory of 584	2720	Hyperblockport.exe	68
PID 2720 wrote to memory of 584	2720	Hyperblockport.exe	68
PID 2720 wrote to memory of 584	2720	Hyperblockport.exe	68
PID 2720 wrote to memory of 576	2720	Hyperblockport.exe	69
PID 2720 wrote to memory of 576	2720	Hyperblockport.exe	69
PID 2720 wrote to memory of 576	2720	Hyperblockport.exe	69
PID 2720 wrote to memory of 1096	2720	Hyperblockport.exe	70
PID 2720 wrote to memory of 1096	2720	Hyperblockport.exe	70
PID 2720 wrote to memory of 1096	2720	Hyperblockport.exe	70
PID 2720 wrote to memory of 1548	2720	Hyperblockport.exe	80
PID 2720 wrote to memory of 1548	2720	Hyperblockport.exe	80
PID 2720 wrote to memory of 1548	2720	Hyperblockport.exe	80
PID 1548 wrote to memory of 2396	1548	cmd.exe	82
PID 1548 wrote to memory of 2396	1548	cmd.exe	82
PID 1548 wrote to memory of 2396	1548	cmd.exe	82
PID 1548 wrote to memory of 2096	1548	cmd.exe	83
PID 1548 wrote to memory of 2096	1548	cmd.exe	83
PID 1548 wrote to memory of 2096	1548	cmd.exe	83
PID 2096 wrote to memory of 1820	2096	System.exe	84
PID 2096 wrote to memory of 1820	2096	System.exe	84
PID 2096 wrote to memory of 1820	2096	System.exe	84
PID 2096 wrote to memory of 1556	2096	System.exe	85

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Njrat.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containerperf\9nepdzd6Yg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\containerperf\Hyperblockport.exe
      "C:\containerperf\Hyperblockport.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GO75tdUpkG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2396
      - C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
        
        "C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e5eed7f-f8c5-4873-96b6-1bfd3a68abcd.vbs"
        7⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c27e7e3-f3fd-4cf1-b691-c0e0afdc5151.vbs"
        7⤵
        
        PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\containerperf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2784

C:\Windows\system32\taskeng.exe
taskeng.exe {E76F7959-11C7-441B-9246-F819828A01E4} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]
1⤵
PID:2780
- C:\Users\Default User\csrss.exe
  "C:\Users\Default User\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Users\Public\wininit.exe
  C:\Users\Public\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe
  "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
  C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\L2Schemas\smss.exe
  C:\Windows\L2Schemas\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Users\Default User\csrss.exe
  "C:\Users\Default User\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Users\Public\wininit.exe
  C:\Users\Public\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe
  "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
  C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Users\Default User\csrss.exe
  "C:\Users\Default User\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Users\Public\wininit.exe
  C:\Users\Public\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\L2Schemas\smss.exe
  C:\Windows\L2Schemas\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Users\Default User\csrss.exe
  "C:\Users\Default User\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Users\Public\wininit.exe
  C:\Users\Public\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe
  "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
  C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c27e7e3-f3fd-4cf1-b691-c0e0afdc5151.vbs

Filesize
511B

MD5
4f59493b5b9db1e284f78e1d47839e24

SHA1
e78835bfef1e4c09123a17ec3094a9e1083b9c08

SHA256
2f470576ca4c68ac6d4ac98d55c2ddd51372d7585b59b7fb2d722105755f3f82

SHA512
0adbaf10e6ab51192a6953ef0d0e32b15b6e592a237ad8e2d81d8cff7cfe06a3c388fee578dff8caa3c8eaff010ef3c8e261effda745ebe58d94afa7c83a3c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e5eed7f-f8c5-4873-96b6-1bfd3a68abcd.vbs

Filesize
735B

MD5
0d6bd04c43bb370cf0dddd9f4ee86546

SHA1
71247c0e10b0e4d5c9dbb92a1160c84a0dd20d4f

SHA256
74ccc724735d1fa72295cdd09a6c471c8644fa61e1b3f9ca802f6414ce817beb

SHA512
73bac33bfa40d93663cd357351be25ae5cfeda1d179e9ad5cf312dafeeca6665f8991c648aff506113505f310eb0a861a42fe7f84f4fa182f8249f7a4d33af1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GO75tdUpkG.bat

Filesize
224B

MD5
b56d35029ca988c42b6fdd6a80643c71

SHA1
bbc39369188bae24d0f81c34f9e581e74a36d5f1

SHA256
6bf38c667e2fb084aed3224b7c5ff911f9b93bf1ac717df50ce9bc343668d842

SHA512
2472969e427122e039164620f686daef7e462225ccdca7973afc0b93cb3c9b2213f1fd63f4cf7f2b613f446a517c631b016c6ef5c6e6121208e97d4bf5bc0c0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9e6b4c6b02d13f2b654a59f66c80768f

SHA1
0c4767858506eeffd297a40132e5a1d4fcc3e24e

SHA256
656111ea96de1d6c28da5e0dc91b0027286f0d716c1a201c8f6ea72351c95dc9

SHA512
c9c9ab5f7a15ad7bf21534d1815f43a7af257bc355002425b2aa016ddf665302886cb90dec734b68d70f936734298f74412f11966536840bd87455e87bc2ecf3

Download Submit
C:\containerperf\9nepdzd6Yg.vbe

Filesize
226B

MD5
fd73bba1ae261c1bde0a83ff425994c4

SHA1
7e9e51cef1374547c885b6e8bd62ed2a1dc6902b

SHA256
16f04c862e66dbdf8631baaa3c37e771281f59d68d60420d4dac89701c1fb732

SHA512
20644ded806f97cdd62b136fa4cd6bff7ed61d8c4f6d533dee3c71d3f12923243551e910f56d4504a0c67a89a3e50064fa8f53cb3b307150cf185c9016e004e4

Download Submit
C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat

Filesize
48B

MD5
7a122e2bf760c3ba657e5ba59337bce2

SHA1
e9ac1ad5c6b04628fdea1a0657f0e466a2a06261

SHA256
b9469f10268a8e4a44814d71f3eb6530f2a4970933b586f6dc5e3eebb2fe33f8

SHA512
89912e65857c9975e0c6ab2b3ea94f07547cba9e875b7db26dc87a6d2ec8ba79b9aa7421a78f8203587ffc70fe39df2c8fc95566c47d4681fa59f933129c6c64

Download Submit
\containerperf\Hyperblockport.exe

Filesize
2.9MB

MD5
a5eb91d9ffb09e43c86d3ac84354107f

SHA1
ab225fd443f3c209c4493e1dd823093c87364075

SHA256
13da0ed8f7f0cfbf7187ae5d3fe222a0aac5a0fad6e0c1f011f0ef3f8d126906

SHA512
3259e901d0347db552f658f89c11c711f328831a5da203b18e8383740a202b87aea4a2c84c33d3ca6d9a8200d1f933f8820379a7b77e094c005a004c9f3c59ee

Download Submit
memory/552-189-0x0000000000210000-0x00000000004F2000-memory.dmp

Filesize
2.9MB

Download
memory/672-172-0x00000000013C0000-0x00000000016A2000-memory.dmp

Filesize
2.9MB

Download
memory/784-180-0x0000000000D30000-0x0000000001012000-memory.dmp

Filesize
2.9MB

Download
memory/872-171-0x0000000000950000-0x0000000000C32000-memory.dmp

Filesize
2.9MB

Download
memory/1060-164-0x0000000000010000-0x00000000002F2000-memory.dmp

Filesize
2.9MB

Download
memory/1096-161-0x0000000000310000-0x00000000005F2000-memory.dmp

Filesize
2.9MB

Download
memory/1752-168-0x0000000000FD0000-0x00000000012B2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-120-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2096-119-0x0000000000900000-0x0000000000BE2000-memory.dmp

Filesize
2.9MB

Download
memory/2148-177-0x0000000000F50000-0x0000000001232000-memory.dmp

Filesize
2.9MB

Download
memory/2152-175-0x00000000012E0000-0x00000000015C2000-memory.dmp

Filesize
2.9MB

Download
memory/2280-186-0x00000000011B0000-0x0000000001492000-memory.dmp

Filesize
2.9MB

Download
memory/2640-160-0x0000000000DB0000-0x0000000001092000-memory.dmp

Filesize
2.9MB

Download
memory/2720-21-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2720-24-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2720-32-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2720-33-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/2720-34-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/2720-13-0x0000000001390000-0x0000000001672000-memory.dmp

Filesize
2.9MB

Download
memory/2720-31-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

Filesize
56KB

Download
memory/2720-29-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2720-14-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2720-28-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2720-27-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/2720-26-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2720-25-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/2720-30-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/2720-23-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2720-22-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2720-20-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2720-19-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2720-18-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/2720-17-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/2720-16-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2720-15-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/2860-183-0x0000000000120000-0x0000000000402000-memory.dmp

Filesize
2.9MB

Download
memory/2972-55-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2972-61-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download