dcrat | da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d

Analysis

max time kernel
116s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
Size

1.2MB
MD5

93beba30961d66c4bf317a91e2ceab60
SHA1

5c394cf0254b1eebb9a978556ce6d94f8fced169
SHA256

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d
SHA512

9a7ed86f099c7ab52357cc846e3d872bf4e9f33e3792e16395200e1c4cc9e0b491a94eb45430c202da50a4f2bdb23f0d7d2bcaa4aefe735996462f9789a0ae7d
SSDEEP

24576:O2G/nvxW3WY3h0KomE5c7JtTE/TWsO8Mxj:ObA3x3GKCuP3AMp

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3664	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c32-9.dat	dcrat
behavioral2/memory/2548-13-0x0000000000C00000-0x0000000000CD6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	msHyperwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 22 IoCs

pid	Process
2548	msHyperwin.exe
2212	SppExtComObj.exe
1768	SppExtComObj.exe
3372	SppExtComObj.exe
1120	SppExtComObj.exe
4376	SppExtComObj.exe
1796	SppExtComObj.exe
2220	SppExtComObj.exe
3620	SppExtComObj.exe
4868	SppExtComObj.exe
4900	SppExtComObj.exe
3416	SppExtComObj.exe
804	SppExtComObj.exe
912	SppExtComObj.exe
3832	SppExtComObj.exe
4752	SppExtComObj.exe
2220	SppExtComObj.exe
2824	SppExtComObj.exe
2788	SppExtComObj.exe
844	SppExtComObj.exe
3604	SppExtComObj.exe
4616	SppExtComObj.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\services.exe	msHyperwin.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	msHyperwin.exe
File created	C:\Program Files (x86)\Microsoft.NET\taskhostw.exe	msHyperwin.exe
File created	C:\Program Files (x86)\Microsoft.NET\ea9f0e6c9e2dcd	msHyperwin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\es-ES\RuntimeBroker.exe	msHyperwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4520	schtasks.exe
1560	schtasks.exe
4268	schtasks.exe
5008	schtasks.exe
2288	schtasks.exe
1172	schtasks.exe
4124	schtasks.exe
1220	schtasks.exe
376	schtasks.exe
3128	schtasks.exe
1660	schtasks.exe
2412	schtasks.exe
2176	schtasks.exe
1652	schtasks.exe
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2548	msHyperwin.exe
2212	SppExtComObj.exe
1768	SppExtComObj.exe
3372	SppExtComObj.exe
1120	SppExtComObj.exe
4376	SppExtComObj.exe
1796	SppExtComObj.exe
2220	SppExtComObj.exe
3620	SppExtComObj.exe
4868	SppExtComObj.exe
4900	SppExtComObj.exe
3416	SppExtComObj.exe
804	SppExtComObj.exe
912	SppExtComObj.exe
3832	SppExtComObj.exe
4752	SppExtComObj.exe
2220	SppExtComObj.exe
2824	SppExtComObj.exe
2788	SppExtComObj.exe
844	SppExtComObj.exe
3604	SppExtComObj.exe
4616	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	msHyperwin.exe
Token: SeDebugPrivilege	2212	SppExtComObj.exe
Token: SeDebugPrivilege	1768	SppExtComObj.exe
Token: SeDebugPrivilege	3372	SppExtComObj.exe
Token: SeDebugPrivilege	1120	SppExtComObj.exe
Token: SeDebugPrivilege	4376	SppExtComObj.exe
Token: SeDebugPrivilege	1796	SppExtComObj.exe
Token: SeDebugPrivilege	2220	SppExtComObj.exe
Token: SeDebugPrivilege	3620	SppExtComObj.exe
Token: SeDebugPrivilege	4868	SppExtComObj.exe
Token: SeDebugPrivilege	4900	SppExtComObj.exe
Token: SeDebugPrivilege	3416	SppExtComObj.exe
Token: SeDebugPrivilege	804	SppExtComObj.exe
Token: SeDebugPrivilege	912	SppExtComObj.exe
Token: SeDebugPrivilege	3832	SppExtComObj.exe
Token: SeDebugPrivilege	4752	SppExtComObj.exe
Token: SeDebugPrivilege	2220	SppExtComObj.exe
Token: SeDebugPrivilege	2824	SppExtComObj.exe
Token: SeDebugPrivilege	2788	SppExtComObj.exe
Token: SeDebugPrivilege	844	SppExtComObj.exe
Token: SeDebugPrivilege	3604	SppExtComObj.exe
Token: SeDebugPrivilege	4616	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3872	3688	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	88
PID 3688 wrote to memory of 3872	3688	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	88
PID 3688 wrote to memory of 3872	3688	da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe	88
PID 3872 wrote to memory of 896	3872	WScript.exe	89
PID 3872 wrote to memory of 896	3872	WScript.exe	89
PID 3872 wrote to memory of 896	3872	WScript.exe	89
PID 896 wrote to memory of 2548	896	cmd.exe	91
PID 896 wrote to memory of 2548	896	cmd.exe	91
PID 2548 wrote to memory of 2212	2548	msHyperwin.exe	108
PID 2548 wrote to memory of 2212	2548	msHyperwin.exe	108
PID 2212 wrote to memory of 2404	2212	SppExtComObj.exe	109
PID 2212 wrote to memory of 2404	2212	SppExtComObj.exe	109
PID 2404 wrote to memory of 3988	2404	cmd.exe	111
PID 2404 wrote to memory of 3988	2404	cmd.exe	111
PID 2404 wrote to memory of 1768	2404	cmd.exe	112
PID 2404 wrote to memory of 1768	2404	cmd.exe	112
PID 1768 wrote to memory of 4184	1768	SppExtComObj.exe	113
PID 1768 wrote to memory of 4184	1768	SppExtComObj.exe	113
PID 4184 wrote to memory of 3200	4184	cmd.exe	115
PID 4184 wrote to memory of 3200	4184	cmd.exe	115
PID 4184 wrote to memory of 3372	4184	cmd.exe	116
PID 4184 wrote to memory of 3372	4184	cmd.exe	116
PID 3372 wrote to memory of 4560	3372	SppExtComObj.exe	117
PID 3372 wrote to memory of 4560	3372	SppExtComObj.exe	117
PID 4560 wrote to memory of 4948	4560	cmd.exe	119
PID 4560 wrote to memory of 4948	4560	cmd.exe	119
PID 4560 wrote to memory of 1120	4560	cmd.exe	120
PID 4560 wrote to memory of 1120	4560	cmd.exe	120
PID 1120 wrote to memory of 5080	1120	SppExtComObj.exe	121
PID 1120 wrote to memory of 5080	1120	SppExtComObj.exe	121
PID 5080 wrote to memory of 1716	5080	cmd.exe	123
PID 5080 wrote to memory of 1716	5080	cmd.exe	123
PID 5080 wrote to memory of 4376	5080	cmd.exe	124
PID 5080 wrote to memory of 4376	5080	cmd.exe	124
PID 4376 wrote to memory of 4388	4376	SppExtComObj.exe	125
PID 4376 wrote to memory of 4388	4376	SppExtComObj.exe	125
PID 4388 wrote to memory of 3628	4388	cmd.exe	127
PID 4388 wrote to memory of 3628	4388	cmd.exe	127
PID 4388 wrote to memory of 1796	4388	cmd.exe	129
PID 4388 wrote to memory of 1796	4388	cmd.exe	129
PID 1796 wrote to memory of 3736	1796	SppExtComObj.exe	130
PID 1796 wrote to memory of 3736	1796	SppExtComObj.exe	130
PID 3736 wrote to memory of 2188	3736	cmd.exe	132
PID 3736 wrote to memory of 2188	3736	cmd.exe	132
PID 3736 wrote to memory of 2220	3736	cmd.exe	133
PID 3736 wrote to memory of 2220	3736	cmd.exe	133
PID 2220 wrote to memory of 1004	2220	SppExtComObj.exe	134
PID 2220 wrote to memory of 1004	2220	SppExtComObj.exe	134
PID 1004 wrote to memory of 2876	1004	cmd.exe	136
PID 1004 wrote to memory of 2876	1004	cmd.exe	136
PID 1004 wrote to memory of 3620	1004	cmd.exe	138
PID 1004 wrote to memory of 3620	1004	cmd.exe	138
PID 3620 wrote to memory of 2064	3620	SppExtComObj.exe	139
PID 3620 wrote to memory of 2064	3620	SppExtComObj.exe	139
PID 2064 wrote to memory of 3532	2064	cmd.exe	141
PID 2064 wrote to memory of 3532	2064	cmd.exe	141
PID 2064 wrote to memory of 4868	2064	cmd.exe	142
PID 2064 wrote to memory of 4868	2064	cmd.exe	142
PID 4868 wrote to memory of 4840	4868	SppExtComObj.exe	143
PID 4868 wrote to memory of 4840	4868	SppExtComObj.exe	143
PID 4840 wrote to memory of 1664	4840	cmd.exe	145
PID 4840 wrote to memory of 1664	4840	cmd.exe	145
PID 4840 wrote to memory of 4900	4840	cmd.exe	146
PID 4840 wrote to memory of 4900	4840	cmd.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe
"C:\Users\Admin\AppData\Local\Temp\da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockportPerf\8NgAaSzS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\blockportPerf\msHyperwin.exe
      "C:\blockportPerf\msHyperwin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3988
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3200
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4948
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1716
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3628
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2188
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2876
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3532
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1664
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        24⤵
        
        PID:3424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1616
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        26⤵
        
        PID:5056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4412
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        28⤵
        
        PID:3964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2720
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        30⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3976
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        32⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2044
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        34⤵
        
        PID:3648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2808
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        36⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:3608
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        38⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:4888
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        40⤵
        
        PID:3392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:740
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        42⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:1792
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        44⤵
        
        PID:4312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:2840
        
        C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe
        
        "C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        46⤵
        
        PID:4684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
230B

MD5
0e1a678b739f2324e177dcfbad7cf227

SHA1
20f70aa8c05c8b481818448efcc8b46c2803f266

SHA256
979e1e859f237187bf0f03c28e645870c040027d6c008a026b0f209c70bda51a

SHA512
4c6a99c690359ae589e9282a61cf4f5a33b44b824e8ad87465b11f7efc0a0a2c344afff5006109a4385563c265a68899aeddd53237d9dd710fe8cb53b39faeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
230B

MD5
2efec093a00c2d6f76095d24b12a4e2a

SHA1
d78b29a2656a96d340f370d13efed95bcc07ebf6

SHA256
832cc14bd51a6ee8fbc6ffd15f92e57674ddb981572f143880df9c405048b678

SHA512
9401c7be56b98862a17611cb9003d7e332b2b0b2f8ced5772c1dd04ecb69a0ecd50d4a83dfb717db4fed8519a1f19cd3d9832698053d3fa130ee2afe6b15c26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
230B

MD5
3766c7291d8be8a586afc0f4aa75e0b3

SHA1
f16b7520775886159afce5b0cc428d74ba88155b

SHA256
8c93301cef552ca5ec9d40393d352d9c4994aa88c49c227f2548291797a31141

SHA512
53e92e3b8d83f16319e261d20cb440d6652b1e471a52edadeec52938e414e22c5e4d15cc70e7b4366e5b7f7c68041b7b714d19836ab6f0b6b9e55ec70dbbb459

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
230B

MD5
7d5553df4d39294fe3a1470d44886a2b

SHA1
5a3c97698264f796d993cae02e5c7b01b31bfc4f

SHA256
d8ccbd544d1fc7e45f438cdabbf0b4f0fa9d49bdcd52f7cbc511cf84cdc76f7e

SHA512
a1c23389d8e426d57252556b74405e519cb570df6bbb8049f2b74674ea080b21104f473157617818bc504bc6b4445b9828856f53d22a9fb06740e82d635fd17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
230B

MD5
9cde3c429f87507a218d6344c8ddc560

SHA1
84a53165b5d0bfd8168e1f209ae5994d2fd4bcf8

SHA256
2ccdf0895a4a66fed1ce62d341ab3edad98a78e4be2d3f8166d634f147a47a14

SHA512
5d40df95733164ded7c8d870e2aec318e0e7449efa1a0e493f63714de3e85fb445a1e8423fe1af5da40374c64e64cbf029bca3392719fb3272f01e29fb1ff326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
230B

MD5
b31af4445f53d657929c4e1a9d4dae3d

SHA1
6b7163a2fc02211e043980c06bc74de8eb048dce

SHA256
efbd6644df81bc39a73185a9dc38c817c1c7b77a3bc004d200a60879716b18f5

SHA512
dc16888e804b58c506a0d7e49a584738fbb6b4fbd525ef99e55ffb56a0f719d2ec4638059ca9eca737eb1def411d5d1529d9094bdcf1e884222480527d7f3df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
230B

MD5
89d693ae264ab21b68677d52c4e1271c

SHA1
bd0e44e07fa1cdb6bbe9aba51a1b3d0fdab458bb

SHA256
3b0f94e563b1886d28170741b5477a941e18548a02a5e865115604659281e650

SHA512
53b5ec8e97b6629a869d9a8ead00b1933355c28ad5a1c5b886fa2222273909b53ff838903dab0ccb4de8a9c314a5e0ef723233aaad7099baa742d5d4905b5486

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat

Filesize
230B

MD5
e5e87d367ee726012955a05c95a5cf71

SHA1
c171afecd47db7e5b38437a28f07a3b61dbb5efa

SHA256
d88e4ca7305b93e58768769375e25721df4e0646c7c2875eda0efdbb54c2d045

SHA512
556db1f8097c2953d22a7e98490aa6a5882857b58fc4b43a348264abcea3c04807cb16fcef229567fd5f37876f127e79046d07ef9e648b188b13f30ab34394d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
230B

MD5
18a886046c7feb468007abc9413da217

SHA1
0cfc1195a9c6402ff3a6e9759b5657e536c77dcf

SHA256
5fda7277c10b3b9490d2a743f1fbddf9af87cbcfd37b0e79ccdc36cb96a11977

SHA512
b2ca0837159c49e52ba236ac1c966cc6bc396aa692cecdd123303fab7a874720687f32fbd55299404255c4512d90afe5bf4ff79465b1dde46c4012c88b0651ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
230B

MD5
6cf6a40b54d866e5cd7290d31ac95740

SHA1
aace1bbaaa7cd98560b1f493542d9d748b65ad0b

SHA256
991ae93cfc63576193510af9275799c2f127ffaa31704fd8ba02bb4c982a3afd

SHA512
f72e1dcd0b6d6c1c9a5e667c5ee13858d3b71803e2c3d03656f627f3b5b8b760a507e22bc1fb34afdc7b1a9b84cc376a89215bc1c3ca54a7465c09c891e4c9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
230B

MD5
b1e49624d46cd69a1fa94f60d35ac6d0

SHA1
68044d231c8a130a4e28e37e2da10c3671191330

SHA256
1c770ab2d54d7c33aa7f5596d3945ef65cfde7aa4c17e68d87541d68b56266d7

SHA512
5fec38c740071014578d99dfc5bc6fd1db03f831762efbd6a473e6a6ab6faf6374acf33d6d460ffbb3ee5f8c89cd2f84e2d83ecc04e14311960729a99371e9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
230B

MD5
deb1d296ca0ca387e3ecb090fa7773a6

SHA1
47759082d5c178f019b335fdf282a18eae1e88d9

SHA256
6de938815a62a6fbcdd922732a920dab450301d7e16259f7aa66c4d3ac07caee

SHA512
3d5caa02e0459e52dc620369ae9173cdf4989976ca5c413790db334dc4383324517f58de4a3541b6748d8c400493c9b6706c92a610f2a331eeb2bca7d7d45d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
230B

MD5
4102a855ccba9e302605cfb6bfa7061e

SHA1
82462dde940d2dbcd555142c1cce7d1939653135

SHA256
e3015bb1428a485ed13df638b0873fd6937977342066bebc3eb912a2e1c9b915

SHA512
3f36bbe15aa168c5f668cb2403c19fbf33c81b2f8194fd42ab76dbaf433739c3e44ef9d2022dd2ead39d6105c5adf02ea05dbeaffdf81b79b4d63b975bcb1ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
230B

MD5
552480cc8eb79e34ac695a3dfea1cf0b

SHA1
c12affea7a23e2b73eeae2417eb4b07005097523

SHA256
c53495b33bf5572de5535c8170f24edcf978b22fd978ef1daf4ed857eff0b65f

SHA512
0a8500680ed5993e782bd1860fdd74c1267d02358cde58b30611f0b736f8fa83e9181ab643b4d48efcb8d82eb5fa2d5b2680d4a697bc2e66c806330e06939eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
230B

MD5
6a6313efe717e408598c13d151e530a9

SHA1
b02556255f8de99eee64e7f7d6f28b7918de7667

SHA256
26b5d158bd0693f60591a827a84d2e58c9d769f0ef357ad58fe69d1926513061

SHA512
56175c9058202d4e3a5cdc44c697cea9fb19249cb1268ceba02943b5ec0de39843f45b2166a0a354c8095016673d4faaabe1742b8069337034234251b3a23e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
230B

MD5
008ac059c634c500e363242386d28180

SHA1
6b1a15192dd744b408f2aff12691219a4fde927b

SHA256
7d54bf9149816cbc8a73b368ccd8708881344b126fd82f97ce15c20eac29961b

SHA512
16e7f4186d56bd08ee5ccbdbded8f1677132d83755959e08337ec1d47bc8537abb1a5581cfa685beab7d6d81ba0484907b1b248eac4d274a7b86fabd965479d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
230B

MD5
84bc00d3163ccd7edcec78a1e3f89e23

SHA1
08f266acea6a7c79fd2b4bed76a6275674883add

SHA256
f721e6fd240433545cbf9fa7338dd1558e9ba28a6675285fe54fe320066ba6df

SHA512
70e5a6ed1037392dbea17b0f6f6f589d5720c990a654fb60aff59a922e7cd4b59dc36d13063c29db5cc059655e904c67214cfc45560295bff16a4ab102368777

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
230B

MD5
fd2e1f7e78143abe910ef0146cee54f7

SHA1
cd5a74dceb9200bf3b7ad19126dc2ebc5af788b3

SHA256
f28c7fde783c9a432654974cbebcca21c3ff2cd6c51fe1c036e9cd856303f1d3

SHA512
a8cebc8e7149ef4037d1b6c52fa7bb9062846aaa1a0d90ce0a11823959182279123be8eacfac02dcf0518e6807bd59e201d2d8b4deb8894fdff2ad751c52c5f0

Download Submit
C:\blockportPerf\8NgAaSzS.bat

Filesize
33B

MD5
129edcab253879180520a89894a75a65

SHA1
0757b18d5ac0e84303aefbf6873fee3f986008af

SHA256
589907f4666f0ef1c2be88ce6ecf69ba91aa109d9e7f02563e3f8d49e5b38c7a

SHA512
87417310af71b5bac41f744c438c89a14add86ad2dbcc92af1c56ebc77c1b427b78bce9fd5bbe3a7149d39b4a551cd2c7f3027841684cb41f120c98a756cc3cf

Download Submit
C:\blockportPerf\msHyperwin.exe

Filesize
828KB

MD5
eb50118d9bc9039a4621a53c99f7cba6

SHA1
60e0072e6d2da16d798115051c78b39d0b612da4

SHA256
0bf3dd8cbac480d92c5a0dc3e57d4fc3dcc39e728a35706d6c01ef5b6d194bfa

SHA512
d40f27a12cb4c3ca3beca7cbf4b51e178ab779841494fb755e0d609656fbd0782fc41313ec6956dcfc754a0ee7b43456f7b95a334372020081be868d82f0a552

Download Submit
C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe

Filesize
198B

MD5
be713fe492452bddabb6fb4bde0296f5

SHA1
b28b6b2c6efe00e6c81dd684248d4113e982308c

SHA256
d5242705fd1f4f9f43d7e27c99a099053e5c17179ad5be934c8b4d8962990b68

SHA512
25af67b34aca8ee054727f1715ae00a6a3c5fc0dcdee98baf283463e3ecc016548688e36f7e277671487bdc64c63773c5e9695935b18e127081d8cdd45298344

Download Submit
memory/2548-12-0x00007FFEBF803000-0x00007FFEBF805000-memory.dmp

Filesize
8KB

Download
memory/2548-13-0x0000000000C00000-0x0000000000CD6000-memory.dmp

Filesize
856KB

Download