dcrat | 369fee29d5d28b92e18c413371a74421a66ae2df72ffd1931826a2f5965b5880

Analysis

max time kernel
149s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2025 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StablePolaria/PolariaClientStable.exe
Size

1.2MB
MD5

93beba30961d66c4bf317a91e2ceab60
SHA1

5c394cf0254b1eebb9a978556ce6d94f8fced169
SHA256

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d
SHA512

9a7ed86f099c7ab52357cc846e3d872bf4e9f33e3792e16395200e1c4cc9e0b491a94eb45430c202da50a4f2bdb23f0d7d2bcaa4aefe735996462f9789a0ae7d
SSDEEP

24576:O2G/nvxW3WY3h0KomE5c7JtTE/TWsO8Mxj:ObA3x3GKCuP3AMp

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4220	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4220	schtasks.exe	80

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x001900000002aab7-10.dat	dcrat
behavioral3/memory/3720-13-0x00000000005E0000-0x00000000006B6000-memory.dmp	dcrat

Executes dropped EXE 27 IoCs

pid	Process
3720	msHyperwin.exe
1356	sppsvc.exe
912	sppsvc.exe
2788	sppsvc.exe
4712	sppsvc.exe
4432	sppsvc.exe
3360	sppsvc.exe
2652	sppsvc.exe
4524	sppsvc.exe
1360	sppsvc.exe
2216	sppsvc.exe
3396	sppsvc.exe
2328	sppsvc.exe
3288	sppsvc.exe
4616	sppsvc.exe
3300	sppsvc.exe
1296	sppsvc.exe
5012	sppsvc.exe
2236	sppsvc.exe
2124	sppsvc.exe
3896	sppsvc.exe
4052	sppsvc.exe
4976	sppsvc.exe
3732	sppsvc.exe
2852	sppsvc.exe
1580	sppsvc.exe
1540	sppsvc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\cc11b995f2a76d	msHyperwin.exe
File created	C:\Program Files\dotnet\host\SearchHost.exe	msHyperwin.exe
File created	C:\Program Files\dotnet\host\cfa885d449487c	msHyperwin.exe
File created	C:\Program Files\Windows Photo Viewer\Idle.exe	msHyperwin.exe
File created	C:\Program Files\Windows Photo Viewer\6ccacd8608530f	msHyperwin.exe
File created	C:\Program Files\WindowsPowerShell\winlogon.exe	msHyperwin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\SearchHost.exe	msHyperwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolariaClientStable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	PolariaClientStable.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msHyperwin.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3864	schtasks.exe
1500	schtasks.exe
5116	schtasks.exe
5048	schtasks.exe
1376	schtasks.exe
1596	schtasks.exe
2416	schtasks.exe
2176	schtasks.exe
1804	schtasks.exe
1172	schtasks.exe
724	schtasks.exe
4576	schtasks.exe
4644	schtasks.exe
2028	schtasks.exe
4088	schtasks.exe
1028	schtasks.exe
3948	schtasks.exe
4676	schtasks.exe
3540	schtasks.exe
2780	schtasks.exe
1316	schtasks.exe
988	schtasks.exe
3500	schtasks.exe
3060	schtasks.exe
5072	schtasks.exe
4872	schtasks.exe
4884	schtasks.exe
1712	schtasks.exe
3476	schtasks.exe
3352	schtasks.exe
4152	schtasks.exe
2408	schtasks.exe
3744	schtasks.exe
3844	schtasks.exe
472	schtasks.exe
3620	schtasks.exe
3340	schtasks.exe
1112	schtasks.exe
4784	schtasks.exe
4024	schtasks.exe
2284	schtasks.exe
1848	schtasks.exe
3480	schtasks.exe
5076	schtasks.exe
4628	schtasks.exe
4912	schtasks.exe
4236	schtasks.exe
2400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
3720	msHyperwin.exe
1356	sppsvc.exe
912	sppsvc.exe
2788	sppsvc.exe
4712	sppsvc.exe
4432	sppsvc.exe
3360	sppsvc.exe
2652	sppsvc.exe
4524	sppsvc.exe
1360	sppsvc.exe
2216	sppsvc.exe
3396	sppsvc.exe
2328	sppsvc.exe
3288	sppsvc.exe
4616	sppsvc.exe
3300	sppsvc.exe
1296	sppsvc.exe
5012	sppsvc.exe
2236	sppsvc.exe
2124	sppsvc.exe
3896	sppsvc.exe
4052	sppsvc.exe
4976	sppsvc.exe
3732	sppsvc.exe
2852	sppsvc.exe
1580	sppsvc.exe
1540	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	msHyperwin.exe
Token: SeDebugPrivilege	1356	sppsvc.exe
Token: SeDebugPrivilege	912	sppsvc.exe
Token: SeDebugPrivilege	2788	sppsvc.exe
Token: SeDebugPrivilege	4712	sppsvc.exe
Token: SeDebugPrivilege	4432	sppsvc.exe
Token: SeDebugPrivilege	3360	sppsvc.exe
Token: SeDebugPrivilege	2652	sppsvc.exe
Token: SeDebugPrivilege	4524	sppsvc.exe
Token: SeDebugPrivilege	1360	sppsvc.exe
Token: SeDebugPrivilege	2216	sppsvc.exe
Token: SeDebugPrivilege	3396	sppsvc.exe
Token: SeDebugPrivilege	2328	sppsvc.exe
Token: SeDebugPrivilege	3288	sppsvc.exe
Token: SeDebugPrivilege	4616	sppsvc.exe
Token: SeDebugPrivilege	3300	sppsvc.exe
Token: SeDebugPrivilege	1296	sppsvc.exe
Token: SeDebugPrivilege	5012	sppsvc.exe
Token: SeDebugPrivilege	2236	sppsvc.exe
Token: SeDebugPrivilege	2124	sppsvc.exe
Token: SeDebugPrivilege	3896	sppsvc.exe
Token: SeDebugPrivilege	4052	sppsvc.exe
Token: SeDebugPrivilege	4976	sppsvc.exe
Token: SeDebugPrivilege	3732	sppsvc.exe
Token: SeDebugPrivilege	2852	sppsvc.exe
Token: SeDebugPrivilege	1580	sppsvc.exe
Token: SeDebugPrivilege	1540	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 5092	3900	PolariaClientStable.exe	76
PID 3900 wrote to memory of 5092	3900	PolariaClientStable.exe	76
PID 3900 wrote to memory of 5092	3900	PolariaClientStable.exe	76
PID 5092 wrote to memory of 4064	5092	WScript.exe	77
PID 5092 wrote to memory of 4064	5092	WScript.exe	77
PID 5092 wrote to memory of 4064	5092	WScript.exe	77
PID 4064 wrote to memory of 3720	4064	cmd.exe	79
PID 4064 wrote to memory of 3720	4064	cmd.exe	79
PID 3720 wrote to memory of 4048	3720	msHyperwin.exe	129
PID 3720 wrote to memory of 4048	3720	msHyperwin.exe	129
PID 4048 wrote to memory of 2328	4048	cmd.exe	131
PID 4048 wrote to memory of 2328	4048	cmd.exe	131
PID 4048 wrote to memory of 1356	4048	cmd.exe	132
PID 4048 wrote to memory of 1356	4048	cmd.exe	132
PID 1356 wrote to memory of 1252	1356	sppsvc.exe	133
PID 1356 wrote to memory of 1252	1356	sppsvc.exe	133
PID 1252 wrote to memory of 2992	1252	cmd.exe	135
PID 1252 wrote to memory of 2992	1252	cmd.exe	135
PID 1252 wrote to memory of 912	1252	cmd.exe	136
PID 1252 wrote to memory of 912	1252	cmd.exe	136
PID 912 wrote to memory of 4580	912	sppsvc.exe	137
PID 912 wrote to memory of 4580	912	sppsvc.exe	137
PID 4580 wrote to memory of 1912	4580	cmd.exe	139
PID 4580 wrote to memory of 1912	4580	cmd.exe	139
PID 4580 wrote to memory of 2788	4580	cmd.exe	140
PID 4580 wrote to memory of 2788	4580	cmd.exe	140
PID 2788 wrote to memory of 2532	2788	sppsvc.exe	141
PID 2788 wrote to memory of 2532	2788	sppsvc.exe	141
PID 2532 wrote to memory of 3836	2532	cmd.exe	143
PID 2532 wrote to memory of 3836	2532	cmd.exe	143
PID 2532 wrote to memory of 4712	2532	cmd.exe	144
PID 2532 wrote to memory of 4712	2532	cmd.exe	144
PID 4712 wrote to memory of 4656	4712	sppsvc.exe	145
PID 4712 wrote to memory of 4656	4712	sppsvc.exe	145
PID 4656 wrote to memory of 3244	4656	cmd.exe	147
PID 4656 wrote to memory of 3244	4656	cmd.exe	147
PID 4656 wrote to memory of 4432	4656	cmd.exe	148
PID 4656 wrote to memory of 4432	4656	cmd.exe	148
PID 4432 wrote to memory of 4756	4432	sppsvc.exe	149
PID 4432 wrote to memory of 4756	4432	sppsvc.exe	149
PID 4756 wrote to memory of 4912	4756	cmd.exe	151
PID 4756 wrote to memory of 4912	4756	cmd.exe	151
PID 4756 wrote to memory of 3360	4756	cmd.exe	152
PID 4756 wrote to memory of 3360	4756	cmd.exe	152
PID 3360 wrote to memory of 3948	3360	sppsvc.exe	153
PID 3360 wrote to memory of 3948	3360	sppsvc.exe	153
PID 3948 wrote to memory of 2900	3948	cmd.exe	155
PID 3948 wrote to memory of 2900	3948	cmd.exe	155
PID 3948 wrote to memory of 2652	3948	cmd.exe	156
PID 3948 wrote to memory of 2652	3948	cmd.exe	156
PID 2652 wrote to memory of 2920	2652	sppsvc.exe	157
PID 2652 wrote to memory of 2920	2652	sppsvc.exe	157
PID 2920 wrote to memory of 3316	2920	cmd.exe	159
PID 2920 wrote to memory of 3316	2920	cmd.exe	159
PID 2920 wrote to memory of 4524	2920	cmd.exe	160
PID 2920 wrote to memory of 4524	2920	cmd.exe	160
PID 4524 wrote to memory of 2840	4524	sppsvc.exe	161
PID 4524 wrote to memory of 2840	4524	sppsvc.exe	161
PID 2840 wrote to memory of 2028	2840	cmd.exe	163
PID 2840 wrote to memory of 2028	2840	cmd.exe	163
PID 2840 wrote to memory of 1360	2840	cmd.exe	164
PID 2840 wrote to memory of 1360	2840	cmd.exe	164
PID 1360 wrote to memory of 4676	1360	sppsvc.exe	165
PID 1360 wrote to memory of 4676	1360	sppsvc.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\StablePolaria\PolariaClientStable.exe
"C:\Users\Admin\AppData\Local\Temp\StablePolaria\PolariaClientStable.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockportPerf\8NgAaSzS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\blockportPerf\msHyperwin.exe
      "C:\blockportPerf\msHyperwin.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYSEhgVzKB.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2328
      - C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2992
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1912
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3836
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3244
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4912
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2900
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3316
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2028
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"
        23⤵
        
        PID:4676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1380
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
        25⤵
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4992
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        27⤵
        
        PID:3720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4880
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        28⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        29⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4892
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        30⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        31⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4948
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        32⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        33⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:1348
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        34⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        35⤵
        
        PID:4040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:3332
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        36⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        37⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:4188
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        38⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        39⤵
        
        PID:3728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:4912
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        40⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        41⤵
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:2900
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        42⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        43⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:3024
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        44⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        45⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:1688
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        46⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        47⤵
        
        PID:4128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:1992
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        48⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        49⤵
        
        PID:4556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        50⤵
        
        PID:1164
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        50⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
        51⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        52⤵
        
        PID:1356
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        52⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"
        53⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        54⤵
        
        PID:2148
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        54⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        55⤵
        
        PID:824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        56⤵
        
        PID:4032
        
        C:\blockportPerf\sppsvc.exe
        
        "C:\blockportPerf\sppsvc.exe"
        56⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        57⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        58⤵
        
        PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\blockportPerf\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\blockportPerf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\blockportPerf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\blockportPerf\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\blockportPerf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\blockportPerf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\blockportPerf\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\blockportPerf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\blockportPerf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\blockportPerf\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\blockportPerf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\blockportPerf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blockportPerf\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blockportPerf\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blockportPerf\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Sun\Java\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Sun\Java\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Sun\Java\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

Filesize
192B

MD5
444b64a60d7c8855594b121c7ab31a0c

SHA1
d166bd201baa4b6d4926acc4c13fc0b65afb0f21

SHA256
da7e23f6a8a68a3251a682597a97d075bd1a3d4444a3a3d5ea182a9bf5667b0c

SHA512
2a375f2bad66784493f645ebca7d4d218ff394db3a575d21da01b01b3d5a69bee558b1305b141f9f950b9b070844375d948760849847994f5bb3f4888c787991

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

Filesize
192B

MD5
9c530fb4a13b1d94a5faa82eac89b2b5

SHA1
e0a9ea945aa9890a5ef8862d484961d1330167c4

SHA256
3b0fd4b68ccedc1ef00cd5dea94280810ea05dce2e64c8152b34e944b8e30772

SHA512
440922d0130f1c815e13501ef8a108507c2737e0bb1173a2dd48074781e580858fc0047eeebfcd91b9b843797c681c86dab8aa87985928343b9e67d8480af501

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
192B

MD5
d738b11e04b5fda9aae4eb0129cc1689

SHA1
f4b01a3da25f60227bac1cd4d1806d8a08476c0a

SHA256
acd12cc0f92a395c64c99d9fe195c3eb712cacd6e1e5c96af08973a96e8f745e

SHA512
325e20f797c9b95133be23be73063f9ce3aacb4dbacf994a39b330d25d5fdc910952e9b30db9d6135ad59fe8ed99b77534b3cab59774508003dea5666c625013

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
192B

MD5
7140569b8983edc0d2261d53ef6e95ff

SHA1
2560a3bf0542d312b3cda13b6afb483087d6df87

SHA256
0b94cecb7290e6cf26f5e673d1ab2f841ca7775f35f1fcf4f9c0c8d69a422752

SHA512
f84a6fa541136383bf1f2ec1611b8f00d7f9f728625f1b0ce873755c6613a96fab06d0aab02aad16d296430151b775947e11bc7560541a07f1547d1ed4294c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
192B

MD5
0221c6c49e0fc98b6f9d0dac717911d7

SHA1
df486e529adc14003055a3ebca68ba825cc96194

SHA256
28b6541f7613aafcedbb59096728cf07558d04efedd80477c35e884b3b27e040

SHA512
fe39cc04fc95d4e794f4843b9b84a156abc12a61d2020009294a92f0608b4a29b65cac31fd059a22210b9abe2cce2ae82190896a816f4b218b17e982fdcaafcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

Filesize
192B

MD5
d98663a7467b44542f85b77f011a1185

SHA1
213d152f0295c38cbe57ee8d9735d758345ac387

SHA256
74728ef076aa2b451a536a2434503ef07e020b7d315c9326f99c3d63ebea0ea5

SHA512
13ddcdc78977482258b4c054f4b412de5fb52963237ce8aca2c8a6bdc40e86fb2e13b0cf96a38d8c242334734c5cfd43e1838f3c9e2500003946f34e3a41b557

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
192B

MD5
7ee684a2187d8089b17e6d0f6698386f

SHA1
07ea332b9f6adb44cadd84d0bfd315e63f9bf9ea

SHA256
964a05ef511eb8bf37287e1208e82adae63d9ed6e25b9a790e37a4ab42c3dd13

SHA512
b490fc03a85c7fad2b60ca8c4c6177bca5a7870c609f95c7a050cde9cbfeb3791ed640f2b9ad060e009c6240abce803e7e7e63da8aac0a99975b22e4b3bc4ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

Filesize
192B

MD5
51f6953e39a04c2cf3e23b9c3ef0832d

SHA1
84ef9889156d15d1c7eb709336e3294c8a892b94

SHA256
bf5cb2b58ca3cacb0236382478e5fed0e05cc51cb5abe6f807606043fec6c6ce

SHA512
9261156067c4dd3ca60cb5712c0a78ed2e886a4aa0884c228ef6f2ac4007a7fa645d916f201cc76c88e035f3bbea886f2b36697cefce7c4ba7d8e7b9b76354f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat

Filesize
192B

MD5
f058373ebf88fd4976ce5d78cea7dfda

SHA1
eb02d5256c288383b53d9c2bfe8fc3d711e233b8

SHA256
31094cf68abfbf66b5626d1e40875f3aecc303201193cc56359b0f3ed71c7b4b

SHA512
0736960d2c8714819a359d809f2195a3275c4cb88a4a72dca279d462e1f15ec70067300d73ec6170fdb00215bf02e56e3416c7e9de3f376b2c7c2510b202b186

Download Submit
C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat

Filesize
192B

MD5
35853089d6983b760700899d185b1492

SHA1
6d87aa74f42751749095473be6922ef7abd4ffa8

SHA256
ddbaba3d6f96f5e0575d11c2a35ae1e83cc5cf6db86b07fc52464dd647214352

SHA512
b9143ef8602d11371217b2f64f6c3c82749700ed72f9e5243393292335f0a17ae5f42b8fed772ebdac0231c712401ef21a7adeae9d2c1502072d8403f6dcce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

Filesize
192B

MD5
5ad69b4625341ea70e9437c60af55309

SHA1
b0342820dcb3e1832f473f9c9722a585afcd0965

SHA256
93ebbdf842dae8afba0115adaceaa347392b905286d0f6de769ab45c37a67c9a

SHA512
2bdfad2aea79455a38180ee7c5375b39e6fd4668949243d980fb79c68673cbfbca28b2d2d2c15f57765db02600360c24d2d1c70ac46179a4f7d1da2352e9cd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
192B

MD5
ec759366224f1a62feaef54e0e800bfc

SHA1
df38257c4ef09d087e2f7acc83e3fbfbceab0d46

SHA256
3f5b2dcc1fbbc72c013d57ce71ddee647b967e404180a1ad0b2dc611d3bd58da

SHA512
ddf186b628b84471b4b0acbd99984403813350478173d3541173f3600a3f59ee2d45a78e18a10bc5b0c5fe85e07311a4806f6e69f72b785674e3c0ba0da0150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
192B

MD5
71440ed881d9bf8b5526206f0347b74f

SHA1
1d88ee25cca233073d6960bf97bf48f3c1f23823

SHA256
1d38a19ad136bcd8cdbbe10a4969dab63efb406b8dcc92f02d936e1f00f97a3a

SHA512
13dd48f3fe68649b3dc49843a13d53fc0935ee71e9f2b78dc077e380ebb04fec08f63bcf6b830793eebfe9efd3f0bd2bebb1728ce34659360af9bd940dbe7e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
192B

MD5
943ef0af7f3ae1f50ce253a06d0b5d59

SHA1
03cb65ed1603eb1b0dd7cc1edbe2ee4938a9adbf

SHA256
48fcd79a8ac66a46a2fa67a7693048c6b7943f11e79c5d757ea5b6f9069c1a43

SHA512
ac4d1353907f97509b340ee83af9a4e38e4e7c90b8b9275d9ab57559a037f17916328c5a51217ab838db06fb46c91e6051988f23cbdc63a619f4c67863c4ec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYSEhgVzKB.bat

Filesize
192B

MD5
42b0df5ef5f1b93555585dab775af17d

SHA1
1878cdc6714eeca35681e224a9ee0bf8a6b9fc37

SHA256
a533fecfa7ff8646cd40319b2786f916392aa26bddd3944ec34cbb23da6b237c

SHA512
15a11fc6d852050c502c130eacfaaf78f0af71f47ba6551f61ab5d779723982c8bba830b2aaf071602479e21fdc77d48b42ca860a8323eb4316461b6de1db89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
192B

MD5
a2de6b489ec00fb49cc75c8b773d1232

SHA1
c50d134a810bb47917506ebd5c93f1cadbcea80f

SHA256
e5878918ed5e8d7e01165aa1a393dcfb26f1cf6897d52894c741cbf88e7b4fea

SHA512
e1f68307b843c20aadbc8b7075b89f6f56176d4420af657119e7f52a515708292692d30d3c18bd644da7fd727aca53ff574bf8fb003153aba6a0e03000d3b78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
192B

MD5
4933916e30e3a4d5fb0b1182218fd972

SHA1
aa692c33b72633a51f2f47a04cc1276ba0558f0e

SHA256
de790d9d9e91d092260bb39c9b3d90aae15be59fc70fb6622b816b074a503e29

SHA512
d34dcd1a0b3594e2845adefb4b5a668bfb1a169efde11e326e96b9668befca8176def8894131adb18dc075b516ebafa0612b5e06de234ffd6331e53635aecbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
192B

MD5
2db2f1156925f9946327d05f7f3c6693

SHA1
279d5625bd4616cef13fa2c11199a84a0a6a9f55

SHA256
61f5b4978983222d8daa99323653789ea456988b773ae3cec53a1075105fb671

SHA512
a29d515957f0ffc101e612c0e51f44eaa44b49b408c6d1fb9820f28ef31b23cbf1a4bcb5b9a72229dbb46e0d0fe4d9defdd4aa90e718f47e082a4b04d258eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

Filesize
192B

MD5
8634d3903e79fde44e9fb6a5a97a7f86

SHA1
20b03cd79b3889b96f13264049cd731cc691c2e3

SHA256
124fae6538b6f05da990dad15a5729e1e2de2a4bb3b1e26bf474c8817b71847d

SHA512
fdd556bf46fe6cef9139ee363e86c6adef0ab2fb4a7eb25a5573fa1a005039c459c52e30ab4adf0991b0f1e38641d2394a210b03cbee2dd2140daf28d06bd6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

Filesize
192B

MD5
94c469793a095e5184e72da06a833627

SHA1
e88d41c3fe621edc4e05a82871843e5760398e56

SHA256
55e9179f17b921956776362018c80b5d4c054fd82298c3053d04bb9bf54a6a78

SHA512
f4f6843b3a2cb70fad69e254c900ff0f9e61fd98c2fcd936928e48b5884564e62c15f17687d1867a7f8c1acbf1f56b92a7c195800026f79b0515f23f0cf504f2

Download Submit
C:\blockportPerf\8NgAaSzS.bat

Filesize
33B

MD5
129edcab253879180520a89894a75a65

SHA1
0757b18d5ac0e84303aefbf6873fee3f986008af

SHA256
589907f4666f0ef1c2be88ce6ecf69ba91aa109d9e7f02563e3f8d49e5b38c7a

SHA512
87417310af71b5bac41f744c438c89a14add86ad2dbcc92af1c56ebc77c1b427b78bce9fd5bbe3a7149d39b4a551cd2c7f3027841684cb41f120c98a756cc3cf

Download Submit
C:\blockportPerf\msHyperwin.exe

Filesize
828KB

MD5
eb50118d9bc9039a4621a53c99f7cba6

SHA1
60e0072e6d2da16d798115051c78b39d0b612da4

SHA256
0bf3dd8cbac480d92c5a0dc3e57d4fc3dcc39e728a35706d6c01ef5b6d194bfa

SHA512
d40f27a12cb4c3ca3beca7cbf4b51e178ab779841494fb755e0d609656fbd0782fc41313ec6956dcfc754a0ee7b43456f7b95a334372020081be868d82f0a552

Download Submit
C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe

Filesize
198B

MD5
be713fe492452bddabb6fb4bde0296f5

SHA1
b28b6b2c6efe00e6c81dd684248d4113e982308c

SHA256
d5242705fd1f4f9f43d7e27c99a099053e5c17179ad5be934c8b4d8962990b68

SHA512
25af67b34aca8ee054727f1715ae00a6a3c5fc0dcdee98baf283463e3ecc016548688e36f7e277671487bdc64c63773c5e9695935b18e127081d8cdd45298344

Download Submit
memory/3720-13-0x00000000005E0000-0x00000000006B6000-memory.dmp

Filesize
856KB

Download
memory/3720-12-0x00007FFEB1DB3000-0x00007FFEB1DB5000-memory.dmp

Filesize
8KB

Download