dcrat | 369fee29d5d28b92e18c413371a74421a66ae2df72ffd1931826a2f5965b5880

Analysis

max time kernel
145s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StablePolaria/PolariaClientStable.exe
Size

1.2MB
MD5

93beba30961d66c4bf317a91e2ceab60
SHA1

5c394cf0254b1eebb9a978556ce6d94f8fced169
SHA256

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d
SHA512

9a7ed86f099c7ab52357cc846e3d872bf4e9f33e3792e16395200e1c4cc9e0b491a94eb45430c202da50a4f2bdb23f0d7d2bcaa4aefe735996462f9789a0ae7d
SSDEEP

24576:O2G/nvxW3WY3h0KomE5c7JtTE/TWsO8Mxj:ObA3x3GKCuP3AMp

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2884	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0005000000019c3c-9.dat	dcrat
behavioral1/memory/2032-13-0x0000000000CB0000-0x0000000000D86000-memory.dmp	dcrat
behavioral1/memory/2332-27-0x0000000000A60000-0x0000000000B36000-memory.dmp	dcrat
behavioral1/memory/2148-40-0x0000000000B50000-0x0000000000C26000-memory.dmp	dcrat
behavioral1/memory/1636-47-0x0000000001390000-0x0000000001466000-memory.dmp	dcrat
behavioral1/memory/1148-90-0x0000000000320000-0x00000000003F6000-memory.dmp	dcrat
behavioral1/memory/980-97-0x0000000001270000-0x0000000001346000-memory.dmp	dcrat
behavioral1/memory/1280-116-0x0000000000350000-0x0000000000426000-memory.dmp	dcrat
behavioral1/memory/1668-123-0x0000000000890000-0x0000000000966000-memory.dmp	dcrat
behavioral1/memory/1620-130-0x00000000003E0000-0x00000000004B6000-memory.dmp	dcrat
behavioral1/memory/2828-137-0x0000000001370000-0x0000000001446000-memory.dmp	dcrat

Executes dropped EXE 24 IoCs

pid	Process
2032	msHyperwin.exe
2332	winlogon.exe
284	winlogon.exe
2148	winlogon.exe
1636	winlogon.exe
1932	winlogon.exe
1236	winlogon.exe
2272	winlogon.exe
1476	winlogon.exe
2848	winlogon.exe
3060	winlogon.exe
1148	winlogon.exe
980	winlogon.exe
2312	winlogon.exe
1820	winlogon.exe
1280	winlogon.exe
1668	winlogon.exe
1620	winlogon.exe
2828	winlogon.exe
2424	winlogon.exe
3064	winlogon.exe
2748	winlogon.exe
2756	winlogon.exe
980	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\taskhost.exe	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Defender\b75386f1303e64	msHyperwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolariaClientStable.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2788	schtasks.exe
1336	schtasks.exe
2748	schtasks.exe
2456	schtasks.exe
2836	schtasks.exe
2544	schtasks.exe
832	schtasks.exe
860	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2032	msHyperwin.exe
2332	winlogon.exe
284	winlogon.exe
2148	winlogon.exe
1636	winlogon.exe
1932	winlogon.exe
1236	winlogon.exe
2272	winlogon.exe
1476	winlogon.exe
2848	winlogon.exe
3060	winlogon.exe
1148	winlogon.exe
980	winlogon.exe
2312	winlogon.exe
1820	winlogon.exe
1280	winlogon.exe
1668	winlogon.exe
1620	winlogon.exe
2828	winlogon.exe
2424	winlogon.exe
3064	winlogon.exe
2748	winlogon.exe
2756	winlogon.exe
980	winlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	msHyperwin.exe
Token: SeDebugPrivilege	2332	winlogon.exe
Token: SeDebugPrivilege	284	winlogon.exe
Token: SeDebugPrivilege	2148	winlogon.exe
Token: SeDebugPrivilege	1636	winlogon.exe
Token: SeDebugPrivilege	1932	winlogon.exe
Token: SeDebugPrivilege	1236	winlogon.exe
Token: SeDebugPrivilege	2272	winlogon.exe
Token: SeDebugPrivilege	1476	winlogon.exe
Token: SeDebugPrivilege	2848	winlogon.exe
Token: SeDebugPrivilege	3060	winlogon.exe
Token: SeDebugPrivilege	1148	winlogon.exe
Token: SeDebugPrivilege	980	winlogon.exe
Token: SeDebugPrivilege	2312	winlogon.exe
Token: SeDebugPrivilege	1820	winlogon.exe
Token: SeDebugPrivilege	1280	winlogon.exe
Token: SeDebugPrivilege	1668	winlogon.exe
Token: SeDebugPrivilege	1620	winlogon.exe
Token: SeDebugPrivilege	2828	winlogon.exe
Token: SeDebugPrivilege	2424	winlogon.exe
Token: SeDebugPrivilege	3064	winlogon.exe
Token: SeDebugPrivilege	2748	winlogon.exe
Token: SeDebugPrivilege	2756	winlogon.exe
Token: SeDebugPrivilege	980	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1288	2524	PolariaClientStable.exe	30
PID 2524 wrote to memory of 1288	2524	PolariaClientStable.exe	30
PID 2524 wrote to memory of 1288	2524	PolariaClientStable.exe	30
PID 2524 wrote to memory of 1288	2524	PolariaClientStable.exe	30
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 2876 wrote to memory of 2032	2876	cmd.exe	33
PID 2876 wrote to memory of 2032	2876	cmd.exe	33
PID 2876 wrote to memory of 2032	2876	cmd.exe	33
PID 2876 wrote to memory of 2032	2876	cmd.exe	33
PID 2032 wrote to memory of 2252	2032	msHyperwin.exe	44
PID 2032 wrote to memory of 2252	2032	msHyperwin.exe	44
PID 2032 wrote to memory of 2252	2032	msHyperwin.exe	44
PID 2252 wrote to memory of 1928	2252	cmd.exe	46
PID 2252 wrote to memory of 1928	2252	cmd.exe	46
PID 2252 wrote to memory of 1928	2252	cmd.exe	46
PID 2252 wrote to memory of 2332	2252	cmd.exe	47
PID 2252 wrote to memory of 2332	2252	cmd.exe	47
PID 2252 wrote to memory of 2332	2252	cmd.exe	47
PID 2332 wrote to memory of 980	2332	winlogon.exe	48
PID 2332 wrote to memory of 980	2332	winlogon.exe	48
PID 2332 wrote to memory of 980	2332	winlogon.exe	48
PID 980 wrote to memory of 2448	980	cmd.exe	50
PID 980 wrote to memory of 2448	980	cmd.exe	50
PID 980 wrote to memory of 2448	980	cmd.exe	50
PID 980 wrote to memory of 284	980	cmd.exe	51
PID 980 wrote to memory of 284	980	cmd.exe	51
PID 980 wrote to memory of 284	980	cmd.exe	51
PID 284 wrote to memory of 2436	284	winlogon.exe	52
PID 284 wrote to memory of 2436	284	winlogon.exe	52
PID 284 wrote to memory of 2436	284	winlogon.exe	52
PID 2436 wrote to memory of 2408	2436	cmd.exe	54
PID 2436 wrote to memory of 2408	2436	cmd.exe	54
PID 2436 wrote to memory of 2408	2436	cmd.exe	54
PID 2436 wrote to memory of 2148	2436	cmd.exe	55
PID 2436 wrote to memory of 2148	2436	cmd.exe	55
PID 2436 wrote to memory of 2148	2436	cmd.exe	55
PID 2148 wrote to memory of 2168	2148	winlogon.exe	56
PID 2148 wrote to memory of 2168	2148	winlogon.exe	56
PID 2148 wrote to memory of 2168	2148	winlogon.exe	56
PID 2168 wrote to memory of 1972	2168	cmd.exe	58
PID 2168 wrote to memory of 1972	2168	cmd.exe	58
PID 2168 wrote to memory of 1972	2168	cmd.exe	58
PID 2168 wrote to memory of 1636	2168	cmd.exe	59
PID 2168 wrote to memory of 1636	2168	cmd.exe	59
PID 2168 wrote to memory of 1636	2168	cmd.exe	59
PID 1636 wrote to memory of 2204	1636	winlogon.exe	60
PID 1636 wrote to memory of 2204	1636	winlogon.exe	60
PID 1636 wrote to memory of 2204	1636	winlogon.exe	60
PID 2204 wrote to memory of 1492	2204	cmd.exe	62
PID 2204 wrote to memory of 1492	2204	cmd.exe	62
PID 2204 wrote to memory of 1492	2204	cmd.exe	62
PID 2204 wrote to memory of 1932	2204	cmd.exe	63
PID 2204 wrote to memory of 1932	2204	cmd.exe	63
PID 2204 wrote to memory of 1932	2204	cmd.exe	63
PID 1932 wrote to memory of 1544	1932	winlogon.exe	64
PID 1932 wrote to memory of 1544	1932	winlogon.exe	64
PID 1932 wrote to memory of 1544	1932	winlogon.exe	64
PID 1544 wrote to memory of 1060	1544	cmd.exe	66
PID 1544 wrote to memory of 1060	1544	cmd.exe	66
PID 1544 wrote to memory of 1060	1544	cmd.exe	66
PID 1544 wrote to memory of 1236	1544	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\StablePolaria\PolariaClientStable.exe
"C:\Users\Admin\AppData\Local\Temp\StablePolaria\PolariaClientStable.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockportPerf\8NgAaSzS.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\blockportPerf\msHyperwin.exe
      "C:\blockportPerf\msHyperwin.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LezCHkPJzz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1928
      - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2448
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2408
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1972
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1492
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1060
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        17⤵
        
        PID:1168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1036
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        19⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2396
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        21⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2740
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        23⤵
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3040
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
        25⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2252
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        27⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:272
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        29⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2176
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        31⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1716
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        33⤵
        
        PID:1384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2724
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
        35⤵
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:1060
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        37⤵
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:1328
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        39⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:2576
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        41⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:1156
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        43⤵
        
        PID:1472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:1792
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        45⤵
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:1944
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
        47⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:1148
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        49⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        50⤵
        
        PID:2216
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
        51⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        52⤵
        
        PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\blockportPerf\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\blockportPerf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\blockportPerf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

Filesize
240B

MD5
68fa3ae5919a90b1e63c15cd82de3f53

SHA1
3dad9a3a3eca76a8b8c1d81e26c99d066b7b38d3

SHA256
cd2b2b4a1b1ddfa1b426eeb73caddcddfed5a8e72ce5382280e5d6c11392d1b2

SHA512
d3535bcf5e3d694d2581f7c96a1cfddea6dc6a5f2355156033627f02073270cd989a91654d63ca2a097047a2cb9b4321e8850c8cbd67d42b3ed86a841805e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
240B

MD5
76daf4e98788d0551bb89038e8777159

SHA1
06f67aa861e39928d0ecec3e634c5b318d51ab0c

SHA256
e0553085b3005d8280fe920380fb3d0e88f3a486bebfa4e0b12e09845f169bfd

SHA512
64d8ba13f94d662fe3f94476b9e027aeccb2a40a11ac106017d080025368917481e84639b39733d1557ef0d05070b6349423fe74e64b6a24eb22de3881a1e379

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
240B

MD5
589539b6cb3a658b93d0037fb0e5a919

SHA1
fffd06eff64e49980ac48a93e4aedc5b71bcc15e

SHA256
fd241840e496279a39e69511045a0b4c42ab87ca98bcb2379f80af16b54e629e

SHA512
4980b81c409e7c74a7b9f53e6ac7c5da65a8495c1dde7dab137373a4d77d186c62c70edba65afd6fc4d897fd6d8fdf1aee40c2eb454abd473581a3efb8589822

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
240B

MD5
4618744fef9252117d6343e6516e5ab0

SHA1
88eab69808eed1fab11c4e5a3cea54bd78e11483

SHA256
5ed62bc386106997ee105f11c9e1fbc19df76d9d369afa6956cebf99e027ffc8

SHA512
4b62951499ed4bfca554e49a29bda8df0ac6ac77ed1154fbcdaf114d54187aac4e761b128692f71ec485eaf643781a2e2a7893c942310f7e4161905b965c3a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
240B

MD5
325fbeef1294ce57f4d2f802b20b2c88

SHA1
2080cd40386982ca8efe2fc813b2d486665d745d

SHA256
b2a3555e0fbba4a35442d6db11f738301d5ae7b5c9443a6ddf45a27557b75307

SHA512
2efed35bc5fe25cb0fecaa5039feeab3614dc2815a4ef89e8c4be4171e55b3670efa5cf7716ab8397cfbef9f04e53cf64790f77fb4ed03698aa07cfebe7b8751

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
240B

MD5
ee51fe127b272e2226bbb096d5eb8f9d

SHA1
217ebecfae9c5d2be9936e9147c3d2094b03caf8

SHA256
c599b31e9efd75f840ca7683f0b426eae5ecbf683a568d8ce29ffde7c42b4ad1

SHA512
b5945159cedcbfcb741c6d50a2f545626f4fff506ff85f365621e60cac518f0498584b12ce217df701dcb60d93380bf453065fc48650e5be2bd0bd72d997fd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
240B

MD5
5d2d9d0204a1adb82146353e6c0e19c1

SHA1
ab606bcb267eb1ab7ccf945a1e26cc49084647de

SHA256
ba6b18eab4142333a041042e3a3d786440d9cbdbe25ddef078b90f395078a8c7

SHA512
8b2afaef46074579a8fe1cb13c2d396e6fcd5af9265933588eeb7d47d5a2d23468534b8dfd345d45df4fbc77b750bc8ec557c5d00025d2586eedb6c065f66073

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

Filesize
240B

MD5
1a3c69160500a2bdc001a5db1116254e

SHA1
3d7f3b8135ad28e4c89433996fedabd0fdf7a675

SHA256
825851f31fe67ce81322227423c3851d489bb16b491b30ce0e3eb779e4ead2ba

SHA512
51e4c2b6855b1146a67a3a64fd7ab7158b4925d328ef1dc8fbe4be9ae24bcf493d6fe55d3cf3b2d8127ff182d0c7c365dd5890f394464a7a21c96ac9ede44128

Download Submit
C:\Users\Admin\AppData\Local\Temp\LezCHkPJzz.bat

Filesize
240B

MD5
2deaaf7e90e35c3b67dbccf0458a55ed

SHA1
0f519ff8aeca9db37a30319fb80990133ce4b795

SHA256
34d14aaa480cf877938efc693656262e58c59e67deb9b0946e76dc60c5f14f79

SHA512
4d0bfb38bb067c3e3c16dfc13a99cbde75618899b22f19f9b714522a539a3f27788c407ac2854a07dd7fa0efc436dc48246de3b4d66385d922e37d5a24dc81b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
240B

MD5
4ea31ac6f35c8753c9ff7616b018818f

SHA1
515329ec88b22c923b3c0b3870e1b980b121bbcc

SHA256
490419bcfb64d805aefac519adfd2a1a17bb72dea3f87dbcac987181f126cf13

SHA512
dbe56f759eb884f89bb038389cff04b8ca0b08231150dd4fb6037f6dddaad6171a98bd063b5470b90ddfe730fb102dd6fc631c4346ef15f48cc2f427d3939d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
240B

MD5
304051d6753ca7bd9af923dfb82f5632

SHA1
dc5f9d4964bd1843aabce97b490532b807d27b80

SHA256
7512c8331f8a07a668bc34a64256acb32753ae586880d9a7c55816c6d32aec2a

SHA512
b80c931a9b4cd2fe9e4892da960601d3097df723dd43d7f51dccb3f36852de7672e9a59f3361c18b6eff255dcd6682eb88955dfa772e6e2375958161089a467e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

Filesize
240B

MD5
32cd75d7d15d84e6eebc1b20a4caebb7

SHA1
b2b6a5373134244387c2f0f30ae2b8fb186f1c4f

SHA256
a489303436695153e67728820ab7391682ca8b5257f76a197928d71ab7361dfa

SHA512
a4a931a90bef588f7f58ddfdd6f410388b9acf2a6b82c41b19ba4d09dfd127c53d583f2230838e52e8f6e87b1f8af4b97a1f00560948d7b08d6b18db82488dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
240B

MD5
4ef173d9a7557694520f60f8cf8a5587

SHA1
c08b874e5bd9aeb8aa3833e22f41b62d7a471732

SHA256
9252695ad5f636bad9ad7420ad1643316399807016804b02b61a5d8b4d9b41ae

SHA512
d538c9c1991053f4e7505cde2ce6edc72d6dd096421871773495db7d786ad5e3e1cf6a9300c11b93e5a4eece1c3fa056adf31d15f068565bcc3b58b10ff614a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

Filesize
240B

MD5
0d20cf591e9743ae230340c9ebd8b110

SHA1
69b56b65e62ba95068c5932065ac31c058b75d3c

SHA256
2b478d97a6816e2425c8ac92d5f90e141be023127143f64f0e2f4a1a12c5c420

SHA512
1aa4a919f71c546e74f917fa006924b487fb220268a1f677a85ca5099db95c3a3a0aa4849c7b50279ed44c494d8bd3134348794e047790c6647f432b8a399f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
240B

MD5
d0b70d57a16575af4c404ff0066fabc8

SHA1
80f27ab500b258f618c12bff5f3226bcbadb8d24

SHA256
cc86417cbd3cb9da901776e6d5e90ac5cbec5c08e0d8f21eeef62c920689dc5b

SHA512
5955f0bada6d5306d100f0f4c75b25fef7db356a655c98bd2c36b3fb1c5fc3d6b9ff1e9e91691eb76c5bb19eaa16f3045c0ae68f00f7bf466079fc901874e14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
240B

MD5
b7e2512221cf34901910d50e9623082b

SHA1
b5eb49d9f45d24cd17a5531b82a64398668c7ec2

SHA256
5166bfe6091f8d3be81bb3e42a6333ad943d718ac73a5950d1bd5b7ca3568ed8

SHA512
bd069d54e2e84724b5d229f14225be44e75a5a536190f4aa115774706313e9908b6e0b9697cc35026e54fea1c3df637c7f8e1d0f3d5feabaac2fb6b77f555556

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
240B

MD5
1edad2a6faeeda8430ea136b5b53cfa8

SHA1
e3f870e83dd9983787a11f2d15bdde1e698f18d3

SHA256
1d9cc40ab65cd66662d25c54d7006fe1c18e10385cb4d1efa76597740936b717

SHA512
a28c1ad6110dd036bbce7e16ebcb8df523acdafc98d27cc5ed00f02911c55d9b25dae7fb5c94e0b6c39b2402bf0550fff430e0dd86bd6d4f4c8fc725516b5a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
240B

MD5
070d4ecf0c883de7b334516bae99ea4d

SHA1
1a9ed7313d9f7b0d35c0e199315d154732f2e83d

SHA256
1df0a60f7cc38f50f0e3af4bf55aa422d389237b2a8d61ff0663b48de2dfdc38

SHA512
46df9acc56f3ba56669f201f8dbe68a752e561535591279d15ac715c73204ebf64e3049042053e4eb39ef1aaf388d18202406bdf85f8f0abb626fc9aba7e35ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
240B

MD5
bbf8b3c6b9b4bb4408a481036f19f686

SHA1
64a202181037d2a2d2105e5178fad1cdf5599150

SHA256
b43e62b22d31f2de8fdf5ef5222395ea0f25264e0ef388006405d8c691991a5e

SHA512
7bf4ffe812ab9372b13f507cd4ebfde88242ea19c0398ba0e8d04f88d5a19470d86dd02f444be7ca4626f66987ed01a622b858e299384a58b379a565f85815b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

Filesize
240B

MD5
2aec8f3944e0ec2a76d6b8aad7b79b31

SHA1
12204d829ec101b0e6fa0e35bfc11f71ebbf298d

SHA256
ee892432e98099f58adda7f9912ae187e13ddd571ca83c70243642dad96a7c12

SHA512
6e7d3c8029cf6a767d918f9ca8b4c967667d63913f92dd44d434f67bcce2d05645e0fb54b1528cf10054746f98fca43d716146c9fe5f641d7e7d187987c149a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
240B

MD5
ce1c350b00000b51dbda07a1c8071daa

SHA1
cd92871ca3a05dd651b7cac2cc61fa11977a6675

SHA256
8f3d03363752e762ba9b411ff9dd57a7a85f5972f21ac896c0078012eeea2dcd

SHA512
46de443006f6689e7c020c42034412eba53c8da6d5a9c75ea3dfd3d73e58b44fc86f5b3e02d335131ed135e4b9a2549c00f0548299c3b3cf3888cc8b895e7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
240B

MD5
bee384494469ab9b566f1b3f95e7855c

SHA1
4d1e91efb0c53b14d9114e078e20a8a39adc059d

SHA256
3b7ac2ed701a4f4e88680f06a0cee34c20ce81278b326629bd39697b09542da0

SHA512
fbaed0dabe1301fb2fb4382d092b62f01f8c125a212a1f662ca663027f12a5f5ae3c151e6e294bcf44c9a51338895d2e7611912d852f283c25416a08a1ad8e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

Filesize
240B

MD5
4bc0adc5e4b62f61a9ca4b8f231d2111

SHA1
c5d58a93e42631e0c2ce82acf970c6d4e4f2f92f

SHA256
f2ea508eb44603216894e77ce4bb91a8766fb17145ef712e81055eea14c81105

SHA512
9165ea29fbcacd1f50a82fa4d9e2e564fe73f3525d902d83b11f6d1a5f38326d69e3fa5a74dae9f6fd95432f524b5b64333d7f056e0bff8f69d81e9095859e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

Filesize
240B

MD5
d5868c2193b6e60a0f3a8bdcc482c9fd

SHA1
54c491d2d71a51f01029bd02e407521e4798bbd4

SHA256
fd2fca746daa8c9e969b6b74ac5ad1cbc1ec43788a2189f538534cd16abd114b

SHA512
3316900b35d8ccbb65d8f26fdae04a3b62958cffa4f1d103f703922545599f7550445ae8931dc606e91ca51a21ef3559fe89d315421cfabdf11123ec53e48ca5

Download Submit
C:\blockportPerf\8NgAaSzS.bat

Filesize
33B

MD5
129edcab253879180520a89894a75a65

SHA1
0757b18d5ac0e84303aefbf6873fee3f986008af

SHA256
589907f4666f0ef1c2be88ce6ecf69ba91aa109d9e7f02563e3f8d49e5b38c7a

SHA512
87417310af71b5bac41f744c438c89a14add86ad2dbcc92af1c56ebc77c1b427b78bce9fd5bbe3a7149d39b4a551cd2c7f3027841684cb41f120c98a756cc3cf

Download Submit
C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe

Filesize
198B

MD5
be713fe492452bddabb6fb4bde0296f5

SHA1
b28b6b2c6efe00e6c81dd684248d4113e982308c

SHA256
d5242705fd1f4f9f43d7e27c99a099053e5c17179ad5be934c8b4d8962990b68

SHA512
25af67b34aca8ee054727f1715ae00a6a3c5fc0dcdee98baf283463e3ecc016548688e36f7e277671487bdc64c63773c5e9695935b18e127081d8cdd45298344

Download Submit
\blockportPerf\msHyperwin.exe

Filesize
828KB

MD5
eb50118d9bc9039a4621a53c99f7cba6

SHA1
60e0072e6d2da16d798115051c78b39d0b612da4

SHA256
0bf3dd8cbac480d92c5a0dc3e57d4fc3dcc39e728a35706d6c01ef5b6d194bfa

SHA512
d40f27a12cb4c3ca3beca7cbf4b51e178ab779841494fb755e0d609656fbd0782fc41313ec6956dcfc754a0ee7b43456f7b95a334372020081be868d82f0a552

Download Submit
memory/980-97-0x0000000001270000-0x0000000001346000-memory.dmp

Filesize
856KB

Download
memory/1148-90-0x0000000000320000-0x00000000003F6000-memory.dmp

Filesize
856KB

Download
memory/1280-116-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/1620-130-0x00000000003E0000-0x00000000004B6000-memory.dmp

Filesize
856KB

Download
memory/1636-47-0x0000000001390000-0x0000000001466000-memory.dmp

Filesize
856KB

Download
memory/1668-123-0x0000000000890000-0x0000000000966000-memory.dmp

Filesize
856KB

Download
memory/2032-13-0x0000000000CB0000-0x0000000000D86000-memory.dmp

Filesize
856KB

Download
memory/2148-40-0x0000000000B50000-0x0000000000C26000-memory.dmp

Filesize
856KB

Download
memory/2332-27-0x0000000000A60000-0x0000000000B36000-memory.dmp

Filesize
856KB

Download
memory/2828-137-0x0000000001370000-0x0000000001446000-memory.dmp

Filesize
856KB

Download