dcrat | da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
Size

1.2MB
MD5

93beba30961d66c4bf317a91e2ceab60
SHA1

5c394cf0254b1eebb9a978556ce6d94f8fced169
SHA256

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d
SHA512

9a7ed86f099c7ab52357cc846e3d872bf4e9f33e3792e16395200e1c4cc9e0b491a94eb45430c202da50a4f2bdb23f0d7d2bcaa4aefe735996462f9789a0ae7d
SSDEEP

24576:O2G/nvxW3WY3h0KomE5c7JtTE/TWsO8Mxj:ObA3x3GKCuP3AMp

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2532	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2532	schtasks.exe	33

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000174a6-12.dat	dcrat
behavioral1/memory/2980-13-0x0000000000980000-0x0000000000A56000-memory.dmp	dcrat
behavioral1/memory/320-59-0x0000000000960000-0x0000000000A36000-memory.dmp	dcrat
behavioral1/memory/2220-66-0x0000000001100000-0x00000000011D6000-memory.dmp	dcrat
behavioral1/memory/2508-103-0x00000000011B0000-0x0000000001286000-memory.dmp	dcrat
behavioral1/memory/2624-110-0x0000000000110000-0x00000000001E6000-memory.dmp	dcrat
behavioral1/memory/1212-117-0x0000000001090000-0x0000000001166000-memory.dmp	dcrat
behavioral1/memory/2492-124-0x0000000000240000-0x0000000000316000-memory.dmp	dcrat
behavioral1/memory/1440-131-0x0000000000EE0000-0x0000000000FB6000-memory.dmp	dcrat
behavioral1/memory/2176-156-0x0000000001120000-0x00000000011F6000-memory.dmp	dcrat
behavioral1/memory/2528-181-0x0000000001150000-0x0000000001226000-memory.dmp	dcrat

Executes dropped EXE 22 IoCs

pid	Process
2980	msHyperwin.exe
320	wininit.exe
2220	wininit.exe
988	wininit.exe
2308	wininit.exe
1328	wininit.exe
2388	wininit.exe
2940	wininit.exe
2508	wininit.exe
2624	wininit.exe
1212	wininit.exe
2492	wininit.exe
1440	wininit.exe
2888	wininit.exe
792	wininit.exe
2268	wininit.exe
2176	wininit.exe
2044	wininit.exe
2672	wininit.exe
2588	wininit.exe
2528	wininit.exe
2480	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	cmd.exe
2632	cmd.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\msHyperwin.exe	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\Idle.exe	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\6ccacd8608530f	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	msHyperwin.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\csrss.exe	msHyperwin.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\msHyperwin.exe	msHyperwin.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\35fa05764b5d3f	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	msHyperwin.exe
File created	C:\Program Files\Google\Chrome\35fa05764b5d3f	msHyperwin.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\smss.exe	msHyperwin.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\audiodg.exe	msHyperwin.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\886983d96e3d3e	msHyperwin.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\42af1c969fbb7b	msHyperwin.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\69ddcba757bf72	msHyperwin.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\csrss.exe	msHyperwin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\conhost.exe	msHyperwin.exe
File created	C:\Windows\Performance\WinSAT\088424020bedd6	msHyperwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2568	schtasks.exe
988	schtasks.exe
1028	schtasks.exe
944	schtasks.exe
2868	schtasks.exe
1944	schtasks.exe
576	schtasks.exe
2776	schtasks.exe
1888	schtasks.exe
2164	schtasks.exe
2456	schtasks.exe
2236	schtasks.exe
1620	schtasks.exe
2648	schtasks.exe
2880	schtasks.exe
2036	schtasks.exe
3004	schtasks.exe
2628	schtasks.exe
1512	schtasks.exe
2640	schtasks.exe
2328	schtasks.exe
1164	schtasks.exe
2076	schtasks.exe
2396	schtasks.exe
3056	schtasks.exe
1556	schtasks.exe
1688	schtasks.exe
1684	schtasks.exe
1908	schtasks.exe
2472	schtasks.exe
1604	schtasks.exe
1084	schtasks.exe
768	schtasks.exe
2028	schtasks.exe
1704	schtasks.exe
564	schtasks.exe
2848	schtasks.exe
2032	schtasks.exe
1104	schtasks.exe
1388	schtasks.exe
2512	schtasks.exe
1640	schtasks.exe
2088	schtasks.exe
2688	schtasks.exe
1668	schtasks.exe
1532	schtasks.exe
1752	schtasks.exe
2908	schtasks.exe
1896	schtasks.exe
3044	schtasks.exe
2716	schtasks.exe
1812	schtasks.exe
3048	schtasks.exe
1596	schtasks.exe
2860	schtasks.exe
380	schtasks.exe
900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2980	msHyperwin.exe
2980	msHyperwin.exe
2980	msHyperwin.exe
320	wininit.exe
2220	wininit.exe
988	wininit.exe
2308	wininit.exe
1328	wininit.exe
2388	wininit.exe
2940	wininit.exe
2508	wininit.exe
2624	wininit.exe
1212	wininit.exe
2492	wininit.exe
1440	wininit.exe
2888	wininit.exe
792	wininit.exe
2268	wininit.exe
2176	wininit.exe
2044	wininit.exe
2672	wininit.exe
2588	wininit.exe
2528	wininit.exe
2480	wininit.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	msHyperwin.exe
Token: SeDebugPrivilege	320	wininit.exe
Token: SeDebugPrivilege	2220	wininit.exe
Token: SeDebugPrivilege	988	wininit.exe
Token: SeDebugPrivilege	2308	wininit.exe
Token: SeDebugPrivilege	1328	wininit.exe
Token: SeDebugPrivilege	2388	wininit.exe
Token: SeDebugPrivilege	2940	wininit.exe
Token: SeDebugPrivilege	2508	wininit.exe
Token: SeDebugPrivilege	2624	wininit.exe
Token: SeDebugPrivilege	1212	wininit.exe
Token: SeDebugPrivilege	2492	wininit.exe
Token: SeDebugPrivilege	1440	wininit.exe
Token: SeDebugPrivilege	2888	wininit.exe
Token: SeDebugPrivilege	792	wininit.exe
Token: SeDebugPrivilege	2268	wininit.exe
Token: SeDebugPrivilege	2176	wininit.exe
Token: SeDebugPrivilege	2044	wininit.exe
Token: SeDebugPrivilege	2672	wininit.exe
Token: SeDebugPrivilege	2588	wininit.exe
Token: SeDebugPrivilege	2528	wininit.exe
Token: SeDebugPrivilege	2480	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2660	1560	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	29
PID 1560 wrote to memory of 2660	1560	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	29
PID 1560 wrote to memory of 2660	1560	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	29
PID 1560 wrote to memory of 2660	1560	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	29
PID 2660 wrote to memory of 2632	2660	WScript.exe	30
PID 2660 wrote to memory of 2632	2660	WScript.exe	30
PID 2660 wrote to memory of 2632	2660	WScript.exe	30
PID 2660 wrote to memory of 2632	2660	WScript.exe	30
PID 2632 wrote to memory of 2980	2632	cmd.exe	32
PID 2632 wrote to memory of 2980	2632	cmd.exe	32
PID 2632 wrote to memory of 2980	2632	cmd.exe	32
PID 2632 wrote to memory of 2980	2632	cmd.exe	32
PID 2980 wrote to memory of 2556	2980	msHyperwin.exe	91
PID 2980 wrote to memory of 2556	2980	msHyperwin.exe	91
PID 2980 wrote to memory of 2556	2980	msHyperwin.exe	91
PID 2556 wrote to memory of 1676	2556	cmd.exe	93
PID 2556 wrote to memory of 1676	2556	cmd.exe	93
PID 2556 wrote to memory of 1676	2556	cmd.exe	93
PID 2556 wrote to memory of 320	2556	cmd.exe	94
PID 2556 wrote to memory of 320	2556	cmd.exe	94
PID 2556 wrote to memory of 320	2556	cmd.exe	94
PID 320 wrote to memory of 1696	320	wininit.exe	95
PID 320 wrote to memory of 1696	320	wininit.exe	95
PID 320 wrote to memory of 1696	320	wininit.exe	95
PID 1696 wrote to memory of 600	1696	cmd.exe	97
PID 1696 wrote to memory of 600	1696	cmd.exe	97
PID 1696 wrote to memory of 600	1696	cmd.exe	97
PID 1696 wrote to memory of 2220	1696	cmd.exe	98
PID 1696 wrote to memory of 2220	1696	cmd.exe	98
PID 1696 wrote to memory of 2220	1696	cmd.exe	98
PID 2220 wrote to memory of 560	2220	wininit.exe	99
PID 2220 wrote to memory of 560	2220	wininit.exe	99
PID 2220 wrote to memory of 560	2220	wininit.exe	99
PID 560 wrote to memory of 2152	560	cmd.exe	101
PID 560 wrote to memory of 2152	560	cmd.exe	101
PID 560 wrote to memory of 2152	560	cmd.exe	101
PID 560 wrote to memory of 988	560	cmd.exe	102
PID 560 wrote to memory of 988	560	cmd.exe	102
PID 560 wrote to memory of 988	560	cmd.exe	102
PID 988 wrote to memory of 3068	988	wininit.exe	103
PID 988 wrote to memory of 3068	988	wininit.exe	103
PID 988 wrote to memory of 3068	988	wininit.exe	103
PID 3068 wrote to memory of 792	3068	cmd.exe	105
PID 3068 wrote to memory of 792	3068	cmd.exe	105
PID 3068 wrote to memory of 792	3068	cmd.exe	105
PID 3068 wrote to memory of 2308	3068	cmd.exe	106
PID 3068 wrote to memory of 2308	3068	cmd.exe	106
PID 3068 wrote to memory of 2308	3068	cmd.exe	106
PID 2308 wrote to memory of 1748	2308	wininit.exe	107
PID 2308 wrote to memory of 1748	2308	wininit.exe	107
PID 2308 wrote to memory of 1748	2308	wininit.exe	107
PID 1748 wrote to memory of 3060	1748	cmd.exe	109
PID 1748 wrote to memory of 3060	1748	cmd.exe	109
PID 1748 wrote to memory of 3060	1748	cmd.exe	109
PID 1748 wrote to memory of 1328	1748	cmd.exe	110
PID 1748 wrote to memory of 1328	1748	cmd.exe	110
PID 1748 wrote to memory of 1328	1748	cmd.exe	110
PID 1328 wrote to memory of 2068	1328	wininit.exe	111
PID 1328 wrote to memory of 2068	1328	wininit.exe	111
PID 1328 wrote to memory of 2068	1328	wininit.exe	111
PID 2068 wrote to memory of 1972	2068	cmd.exe	113
PID 2068 wrote to memory of 1972	2068	cmd.exe	113
PID 2068 wrote to memory of 1972	2068	cmd.exe	113
PID 2068 wrote to memory of 2388	2068	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
"C:\Users\Admin\AppData\Local\Temp\da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockportPerf\8NgAaSzS.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\blockportPerf\msHyperwin.exe
      "C:\blockportPerf\msHyperwin.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eFo8xWVj9t.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1676
      - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:600
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2152
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:792
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3060
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1972
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        17⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:872
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"
        19⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2828
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        21⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2212
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        23⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2528
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
        25⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:976
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"
        27⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1504
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        29⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2016
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        31⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:988
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        33⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:1384
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        35⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:1884
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
        37⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:1600
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        39⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:1864
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        41⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:2000
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
        43⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:1580
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        45⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:2036
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        47⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\FreeCell\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\FreeCell\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\blockportPerf\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\blockportPerf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\blockportPerf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\blockportPerf\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\blockportPerf\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\blockportPerf\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\msHyperwin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwin" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\blockportPerf\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\blockportPerf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\blockportPerf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\features\msHyperwin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwin" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat

Filesize
225B

MD5
f97f795edfe1e0aeb100b59bff5eb171

SHA1
5805ed5506ce863219db2468bebe640f2d3c0ccf

SHA256
7a93ed44100e5e0b02227445dcf8e38e5211adad8ccb6da5c9f824a3aa51ca36

SHA512
03a414ced4944992a1b20812604e82babe2ed385f86a945a8e02020709f8e52241756f9850015b72e45d5ef2adbb55d3fea0f1cde4528cde6dc61e76a28a6eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

Filesize
225B

MD5
d6f0eb7193a31f21d55201103e35ffe9

SHA1
39117f671b2c79e600bdb0eed2d77db08be14acd

SHA256
68fcf3a5c801fab9fb33cca718f563fcf836dd4b4d20c33608462688e8a7506c

SHA512
6534023e96b273706ad4adc59eb96fcb33875b56b12c1101a62a93e5c3affad9c42cb429b52cc6c7836499a3780d9639c27733067e6b2c78a36691c503deceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
225B

MD5
14bb423d9e9b0aa0b1f9ad62a291fae5

SHA1
7f6ac5ce9357a437a26f9e798a8d38b253946fce

SHA256
6a12a1d96ca52b1fe8bf867b9bbd20bf1b92c7bb087570372caf800e1a2ba906

SHA512
a686e3c37da3e1acdbc4cff8acc3fb46085fc7eeba679c1586657198768b7bdee06a002f52111183123370e7e7634d7d324f6d6ef8c61cf3ed7cfa29e9591a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
225B

MD5
5391f1f2177e822badbd1245694b1d2b

SHA1
21574055c2e8df98dc595959e6d56a3003e37a67

SHA256
ece695c103d92cef07313820a82041ddc34fec0c619cc2cef28963318da23d17

SHA512
26f49b39bb1ef457c9f5e42f95b7facbf0c95871703062ff653fcf18adb77f1d9700d05c15323d01675ac336e49aa137d81cf07c077977fc9c23fdb33fac2178

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat

Filesize
225B

MD5
659a4f781a28fd8ff9953dbc43a22268

SHA1
bc7c7a24f106a11546a9396fac9f0c169f01c7b8

SHA256
c91339222d5e4c6e412f99c63ce9452333557271e0b340858597ba429d359b4e

SHA512
e683c4310cc3301fd27463b8f47693f4d369ee37bce19467aa4b5dcd5606bcbb84b6d3f1cc6dd0942384d98b4cd07e07fa0e41b0d6aa0a0af5c4ed3c40804583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
225B

MD5
4225e3f2bea4c6e9ad0e82a55713fd00

SHA1
f0af2fe869690bb174b182b013b748dfc4937805

SHA256
1e4ca28527971fcef0bae2414704577773b068f50b4f6f4ff9febc332203585f

SHA512
4d212744d474cbc214d79a7b0e1fdff24c43ba461e792decff7f19c72dd965682b955fb1717f9fcc2ed1eb1947f04e7a4cfbc4313b3d489bf03d7d46bdb14f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

Filesize
225B

MD5
e5a3bb75b19daba77b350e376c9ffc77

SHA1
96ae4274a629ee5ab0364160beca4a399c01f2ea

SHA256
a38df095147ebef7e3d165951923105364c79466726e6f97917a75a6d7d5b6c9

SHA512
bb3b98267fe74ee8fa945d315f6e2fdeeaa0bd87739e6fd1940da23f64591b74dead899b0a83556b5294b4bcb1078cbb4a1ec8f73d70f49eace258a18258ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
225B

MD5
c40f3d50804f97bbd71515bb46d1e999

SHA1
3fc48970358a203b479094576caa3a8c1283f216

SHA256
a08f95b5230146d16d1f87e1f43704709463f40fe291c6f0549e3739067d467b

SHA512
7a0675a7d445c8b7e70ef756a03a7792c22735f75e70c63db8042ad01e8711dbebdd8bd99e6502ea3b499cbd257421ddef7a239b3a2e08be2b91722a733b6567

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
225B

MD5
c189db3e6fc43b5fbbcf7984ea6d6661

SHA1
b3389eace272732a17c8bb29f3eadd3fdddf1c25

SHA256
77bf35b2f7bbe2a59003fe27397b9017cc6d7037148b3e50155b0e4906fd7a4a

SHA512
1e566fbd7e346bb1b3ff5a94f9e76249aae178b655cfb92633b43de0e5801df6b89c76c294fd43d5fa93bc4e4e2f8e04775a9c22c5d822b4b9a2c277ee5c50d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
225B

MD5
7fbc81b29ffd7ee81dc348c336de61f5

SHA1
59a09cd12849f1b746b681eb2315aef51248602d

SHA256
902739bd2b7ae3ecf09dfa5a2103bfc26906286be5dd271a42be363df3c7c50e

SHA512
1e1accdf7dcd90060263670ef604c43d63b098747eabb6260da4cb5212eb5afccc379dd78a1184de1f1ef4c32fd9ff68a1af5ea2e80fe58a78dd84582687240a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
225B

MD5
45703b6f6ad370d4569cb430f81409bb

SHA1
c7b2e0e2e3c46f3bcf1641a916df002f26ba102c

SHA256
c1f54fb7519001d2dae55f16a9cc7dc8fe595b04df7896dd25360bbfdfbc4b64

SHA512
43f8a63e4f8f7094b3ed670ad96d77761f774e0e075f0ae539a41e97eb757b4bb13787ada8759477942e2e0aaec859fda8765e867e65d57a259c5cc6d34a0bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

Filesize
225B

MD5
d24d3c7960dcd17fe1a58adcc113cc50

SHA1
ac1b72da15818f94f892fc46137bea1412cf5de5

SHA256
b1891d1a1a7b0c1b1349c55bf0d6b99cccd3eb4fb61e8a0d0b22f12c1e0a15a2

SHA512
e0675383f139da9735ac4dfa10deea2621f1f114d49c021d8ff3c0534bff5b18b9dec9ec9d2a3515621a0f7c8d3dcf9eeb245b084ce47a6246c8fc0b28385c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
225B

MD5
a78a40e5bb165c03923912ddb91bda8c

SHA1
c705ceb8a641b4ce9285ecd4b1026df9cfbf3cb9

SHA256
95440e2ee3c57596739b488dbdcfba555d318cf8ddac88b6412d7226c7906b95

SHA512
4b898d3bd43902aefbe7594728143dd2d282a780b6850def0c8a8c6a64fb2d118ab9bff1f801d537b871d6c72be1a56b52c9b4ebcf6cdecaa3f5faa78981abb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
225B

MD5
c3f74ac67c6877186bb79287eff3d20a

SHA1
288752c25fda1fe517fa7c8f7788b155861ca6f8

SHA256
cc36d90b01aa99f85a33dfb5abf0910bb68215c2c21de478414fada19da81126

SHA512
6ea913c41827597cb0f5a24cc44b5ccdbf827a5e02237d868c6b6f39403f6bf2e983eaa976a228478805d77368bd53fb00821002760536bd86f422d19d9800d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

Filesize
225B

MD5
2e7ed72fccb63c3f93e295e92e964847

SHA1
b55ff7445f0806d6838d7b04e3e4915c94f3662b

SHA256
c793fb1214f006da6a0ae402ab1586df14e11b1e2e0a05b781c52fe043c47af7

SHA512
a5dec9d0a2e5fad0c2af01158c380d2d32976b0680b019bc1cea6efbe18477f69af39366008005e48be437cf25e6196eef343f21287ee3077ac83c3398ed74ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eFo8xWVj9t.bat

Filesize
225B

MD5
8160ada2fe112f2932de91a0199d28e5

SHA1
1702c776b07d842508f9a916d1c880a4badb8488

SHA256
667379a55a06d5a5b5fc8b9602284ab503c580e2383495495e3e7ab2cc81c82e

SHA512
345b23963e1c362a908e440e49810411f91716f701582d91ff98c7a8514b567064a4a26965a6885fc0cc37f1c6ec9680e6334aa81cb92bc59a22940e75d2e630

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
225B

MD5
210e5f0a8bb628edfc55e5988037a369

SHA1
60fcc7fe5b4a34d9ffbd9a268223b0dc4b68766a

SHA256
41c925397eb8121c4d883024d4aea304a590bdba8245fcea305be4ea592788c0

SHA512
98c32d7330d59c6436d3fb65ac2f17896993fbbddf83a0252989347e48cd3f815de4a2a80f6747e5514fe324972b20a461c6bfd325ebcfd1f41377cb613e9ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
225B

MD5
4356bbff53d0fe73935c6c40a237a087

SHA1
d6e953d2f57dc15e9ac34adca1cfb83dcf6faccb

SHA256
bccbf373c7f5c9255e099de13ec5583adcc106940891fbc877936fa8efa001b9

SHA512
7e1ac129ac09ede16c2e979aef3c82681d3e7fa958c2faac4e5eaa97058f8a2ef720be87aa093aafdff8f5745e15456ea3a084235529022020ce34ad4ae0e3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
225B

MD5
d8bbb4eb4dc3c4e00efc8c3ca86ebe35

SHA1
c734419bcf1b660e8824d7beae6708f7167f2858

SHA256
b81f78be9cdf03bf2f9a637fa9e08c5307b1b9a47f40c8b29f3907bbae6635c9

SHA512
51989e8180fc64ecac03169b207f3d59b7dc8701323ce4e7217dbc4be30d27aa46c7b77fa5d7195f5fb1173aac1132e04001085290cbf34826ed9bb2a2401c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

Filesize
225B

MD5
dc1c2a796d4b889a513f99f597975780

SHA1
0cf409f04396d08fdcd7e4137c33b58356f75f31

SHA256
e3d05254772356a478ffd157c012bdfcb2dc5fe032bdc111fdad73ae15ca7c2d

SHA512
f0525f186f65dcdda8783181cd58e41e871c9641d820ad425372b5a59b74037a76f306df6d3ecdfe11a943f030c481c671dd191424051a7a71d2f34f4663298c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
225B

MD5
1ee847347ad63638cf32e6a5417924c0

SHA1
8f372222556cc997f0a87beaa94c761344800689

SHA256
4a9c62175f5cee7c273bb10f26b97371a4446c1bed9230576f9e3141d47d8d1b

SHA512
72a2e3dc9537eda47267e5fe6b26b89361f1696951bba5cba49d4c99872b84b990cb6e775ac92e32f30e73a1e8434cdf91a6691bd25bfc3871b19f0187fdf6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

Filesize
225B

MD5
00e4516f639fdda901937d10b931bd99

SHA1
8d099a0c164d16c0cbe29447e7061bece4df4163

SHA256
3e3d8ac30aa1a85f0ff41f12a64a6216d196318de7b03e80aa2338afc3310e84

SHA512
822ae25fca5bf2fc6f35361ea6ebcd5052cd6eed20d8aaaef92d64f1feeca49dfe4cc9923fa4faa8edead43b86a652654894a9320b575b15d4d59e8acabca2e5

Download Submit
C:\blockportPerf\8NgAaSzS.bat

Filesize
33B

MD5
129edcab253879180520a89894a75a65

SHA1
0757b18d5ac0e84303aefbf6873fee3f986008af

SHA256
589907f4666f0ef1c2be88ce6ecf69ba91aa109d9e7f02563e3f8d49e5b38c7a

SHA512
87417310af71b5bac41f744c438c89a14add86ad2dbcc92af1c56ebc77c1b427b78bce9fd5bbe3a7149d39b4a551cd2c7f3027841684cb41f120c98a756cc3cf

Download Submit
C:\blockportPerf\msHyperwin.exe

Filesize
828KB

MD5
eb50118d9bc9039a4621a53c99f7cba6

SHA1
60e0072e6d2da16d798115051c78b39d0b612da4

SHA256
0bf3dd8cbac480d92c5a0dc3e57d4fc3dcc39e728a35706d6c01ef5b6d194bfa

SHA512
d40f27a12cb4c3ca3beca7cbf4b51e178ab779841494fb755e0d609656fbd0782fc41313ec6956dcfc754a0ee7b43456f7b95a334372020081be868d82f0a552

Download Submit
C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe

Filesize
198B

MD5
be713fe492452bddabb6fb4bde0296f5

SHA1
b28b6b2c6efe00e6c81dd684248d4113e982308c

SHA256
d5242705fd1f4f9f43d7e27c99a099053e5c17179ad5be934c8b4d8962990b68

SHA512
25af67b34aca8ee054727f1715ae00a6a3c5fc0dcdee98baf283463e3ecc016548688e36f7e277671487bdc64c63773c5e9695935b18e127081d8cdd45298344

Download Submit
memory/320-59-0x0000000000960000-0x0000000000A36000-memory.dmp

Filesize
856KB

Download
memory/1212-117-0x0000000001090000-0x0000000001166000-memory.dmp

Filesize
856KB

Download
memory/1440-131-0x0000000000EE0000-0x0000000000FB6000-memory.dmp

Filesize
856KB

Download
memory/2176-156-0x0000000001120000-0x00000000011F6000-memory.dmp

Filesize
856KB

Download
memory/2220-66-0x0000000001100000-0x00000000011D6000-memory.dmp

Filesize
856KB

Download
memory/2492-124-0x0000000000240000-0x0000000000316000-memory.dmp

Filesize
856KB

Download
memory/2508-103-0x00000000011B0000-0x0000000001286000-memory.dmp

Filesize
856KB

Download
memory/2528-181-0x0000000001150000-0x0000000001226000-memory.dmp

Filesize
856KB

Download
memory/2624-110-0x0000000000110000-0x00000000001E6000-memory.dmp

Filesize
856KB

Download
memory/2980-13-0x0000000000980000-0x0000000000A56000-memory.dmp

Filesize
856KB

Download