dcrat | 8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b

Analysis

max time kernel
116s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe
Size

1.2MB
MD5

ed2798838993e4cbcbf8115cdbbc31fa
SHA1

b013a3df59ec1a6407c7d290798ddd370cb6a645
SHA256

8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b
SHA512

4020e60ff02fb5f2beacf7d7c595cd3927a6b6c2f9f57181bc565a59f8a4b4f457db5287aa8b32cffbb2da0f6d4a1d7fe1dec443c28e370189f4f5bf0d4b3fae
SSDEEP

24576:O2G/nvxW3WY3h0KomE5c7JtTE/TWsO8Mxz:ObA3x3GKCuP3AM5

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	716	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	716	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c7b-9.dat	dcrat
behavioral2/memory/3332-13-0x00000000007F0000-0x00000000008C6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	msHyperwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe

Executes dropped EXE 21 IoCs

pid	Process
3332	msHyperwin.exe
808	System.exe
3140	System.exe
2132	System.exe
636	System.exe
2312	System.exe
3636	System.exe
3300	System.exe
1128	System.exe
4488	System.exe
2968	System.exe
1788	System.exe
2760	System.exe
1432	System.exe
2668	System.exe
4376	System.exe
4236	System.exe
4772	System.exe
1564	System.exe
3464	System.exe
1428	System.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\121e5b5079f7c0	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	msHyperwin.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\27d1bcfc3c54e0	msHyperwin.exe
File created	C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe	msHyperwin.exe
File created	C:\Program Files\7-Zip\Lang\55b276f4edf653	msHyperwin.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe	msHyperwin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\msHyperwin.exe	msHyperwin.exe
File created	C:\Windows\TAPI\35fa05764b5d3f	msHyperwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	msHyperwin.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3752	schtasks.exe
1184	schtasks.exe
4384	schtasks.exe
1824	schtasks.exe
2444	schtasks.exe
1848	schtasks.exe
244	schtasks.exe
4356	schtasks.exe
4236	schtasks.exe
4540	schtasks.exe
4140	schtasks.exe
3256	schtasks.exe
4296	schtasks.exe
1580	schtasks.exe
3492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
3332	msHyperwin.exe
808	System.exe
3140	System.exe
2132	System.exe
636	System.exe
2312	System.exe
3636	System.exe
3300	System.exe
1128	System.exe
4488	System.exe
2968	System.exe
1788	System.exe
2760	System.exe
1432	System.exe
2668	System.exe
4376	System.exe
4236	System.exe
4772	System.exe
1564	System.exe
3464	System.exe
1428	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	msHyperwin.exe
Token: SeDebugPrivilege	808	System.exe
Token: SeDebugPrivilege	3140	System.exe
Token: SeDebugPrivilege	2132	System.exe
Token: SeDebugPrivilege	636	System.exe
Token: SeDebugPrivilege	2312	System.exe
Token: SeDebugPrivilege	3636	System.exe
Token: SeDebugPrivilege	3300	System.exe
Token: SeDebugPrivilege	1128	System.exe
Token: SeDebugPrivilege	4488	System.exe
Token: SeDebugPrivilege	2968	System.exe
Token: SeDebugPrivilege	1788	System.exe
Token: SeDebugPrivilege	2760	System.exe
Token: SeDebugPrivilege	1432	System.exe
Token: SeDebugPrivilege	2668	System.exe
Token: SeDebugPrivilege	4376	System.exe
Token: SeDebugPrivilege	4236	System.exe
Token: SeDebugPrivilege	4772	System.exe
Token: SeDebugPrivilege	1564	System.exe
Token: SeDebugPrivilege	3464	System.exe
Token: SeDebugPrivilege	1428	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3640	1572	8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe	86
PID 1572 wrote to memory of 3640	1572	8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe	86
PID 1572 wrote to memory of 3640	1572	8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe	86
PID 3640 wrote to memory of 1132	3640	WScript.exe	87
PID 3640 wrote to memory of 1132	3640	WScript.exe	87
PID 3640 wrote to memory of 1132	3640	WScript.exe	87
PID 1132 wrote to memory of 3332	1132	cmd.exe	89
PID 1132 wrote to memory of 3332	1132	cmd.exe	89
PID 3332 wrote to memory of 764	3332	msHyperwin.exe	106
PID 3332 wrote to memory of 764	3332	msHyperwin.exe	106
PID 764 wrote to memory of 1236	764	cmd.exe	108
PID 764 wrote to memory of 1236	764	cmd.exe	108
PID 764 wrote to memory of 808	764	cmd.exe	109
PID 764 wrote to memory of 808	764	cmd.exe	109
PID 808 wrote to memory of 4924	808	System.exe	110
PID 808 wrote to memory of 4924	808	System.exe	110
PID 4924 wrote to memory of 1712	4924	cmd.exe	112
PID 4924 wrote to memory of 1712	4924	cmd.exe	112
PID 4924 wrote to memory of 3140	4924	cmd.exe	113
PID 4924 wrote to memory of 3140	4924	cmd.exe	113
PID 3140 wrote to memory of 2160	3140	System.exe	114
PID 3140 wrote to memory of 2160	3140	System.exe	114
PID 2160 wrote to memory of 4760	2160	cmd.exe	116
PID 2160 wrote to memory of 4760	2160	cmd.exe	116
PID 2160 wrote to memory of 2132	2160	cmd.exe	117
PID 2160 wrote to memory of 2132	2160	cmd.exe	117
PID 2132 wrote to memory of 3212	2132	System.exe	118
PID 2132 wrote to memory of 3212	2132	System.exe	118
PID 3212 wrote to memory of 1360	3212	cmd.exe	120
PID 3212 wrote to memory of 1360	3212	cmd.exe	120
PID 3212 wrote to memory of 636	3212	cmd.exe	121
PID 3212 wrote to memory of 636	3212	cmd.exe	121
PID 636 wrote to memory of 3868	636	System.exe	122
PID 636 wrote to memory of 3868	636	System.exe	122
PID 3868 wrote to memory of 1568	3868	cmd.exe	124
PID 3868 wrote to memory of 1568	3868	cmd.exe	124
PID 3868 wrote to memory of 2312	3868	cmd.exe	126
PID 3868 wrote to memory of 2312	3868	cmd.exe	126
PID 2312 wrote to memory of 2316	2312	System.exe	127
PID 2312 wrote to memory of 2316	2312	System.exe	127
PID 2316 wrote to memory of 1216	2316	cmd.exe	129
PID 2316 wrote to memory of 1216	2316	cmd.exe	129
PID 2316 wrote to memory of 3636	2316	cmd.exe	130
PID 2316 wrote to memory of 3636	2316	cmd.exe	130
PID 3636 wrote to memory of 4176	3636	System.exe	131
PID 3636 wrote to memory of 4176	3636	System.exe	131
PID 4176 wrote to memory of 2076	4176	cmd.exe	133
PID 4176 wrote to memory of 2076	4176	cmd.exe	133
PID 4176 wrote to memory of 3300	4176	cmd.exe	135
PID 4176 wrote to memory of 3300	4176	cmd.exe	135
PID 3300 wrote to memory of 4736	3300	System.exe	136
PID 3300 wrote to memory of 4736	3300	System.exe	136
PID 4736 wrote to memory of 1404	4736	cmd.exe	138
PID 4736 wrote to memory of 1404	4736	cmd.exe	138
PID 4736 wrote to memory of 1128	4736	cmd.exe	139
PID 4736 wrote to memory of 1128	4736	cmd.exe	139
PID 1128 wrote to memory of 3708	1128	System.exe	140
PID 1128 wrote to memory of 3708	1128	System.exe	140
PID 3708 wrote to memory of 1376	3708	cmd.exe	142
PID 3708 wrote to memory of 1376	3708	cmd.exe	142
PID 3708 wrote to memory of 4488	3708	cmd.exe	143
PID 3708 wrote to memory of 4488	3708	cmd.exe	143
PID 4488 wrote to memory of 1248	4488	System.exe	144
PID 4488 wrote to memory of 1248	4488	System.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe
"C:\Users\Admin\AppData\Local\Temp\8fa48ae55b5ba85e84d086d7e94a87095d20582e091eaf96ebe7cf906216510b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockportPerf\8NgAaSzS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\blockportPerf\msHyperwin.exe
      "C:\blockportPerf\msHyperwin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QkkmiKW5TD.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1236
      - C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1712
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4760
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1360
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1568
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1216
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2076
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1404
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1376
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        23⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4924
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        25⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2084
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        27⤵
        
        PID:4360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2420
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        29⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2436
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
        31⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1476
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        33⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3060
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        35⤵
        
        PID:3976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:2064
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        37⤵
        
        PID:4116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:1404
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        39⤵
        
        PID:4344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:4400
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        41⤵
        
        PID:4636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:4580
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        43⤵
        
        PID:4312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:3140
        
        C:\Program Files (x86)\Windows Defender\es-ES\System.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\System.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
        45⤵
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\msHyperwin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwin" /sc ONLOGON /tr "'C:\Windows\TAPI\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
221B

MD5
a5225c414f0e648ed238dca194f47a78

SHA1
2aeeae395058ccaa462a2d33e58c7035318952dd

SHA256
4a7f180ff325d1c96c04a3d09c0491d5b7dfbbf304ed6f9b9255b6d69548adad

SHA512
e749b17575bd875447258988db48c6dfd454c06be8158f4fe74e2cfc08b863ccd36c0f3a31b0c3037c88d3f2c4b5173f08b9f8a4fb748c117c90ce91bc8905b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
221B

MD5
689155d50a8679183207e64ba1d59d9b

SHA1
4fe181cb66d7e5244f27758408b3a7eafdf25e93

SHA256
c6f53e3b41b75d162c55abb6692bae40d211bf91c77833c3a205b51ece2dc988

SHA512
12fdf9f16f8926ab601a1fbf06c7c09755685d098a0025943d3d64037bc86a7dab153fb67e01c1e49d83cb84bbeca0bba0b36f76b7fe3beca6526d4f62579556

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
221B

MD5
eccf4d30145ef52334ec68c9e14f630f

SHA1
c0a2063306bbf0fdfca16dee5288c5e29f844291

SHA256
913ecfee735deb62c288a3de3a9d891e4002588634b07ffd57ff384656d257c6

SHA512
6806ceb030e0cc692ab3ccf03c584ddacc987d427890e2b1346c90a6259c8a4876c707057391f8b27b2424268409f5d952b8e286145cf92b5acd9992f330c18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
221B

MD5
5bd6ecd2b5b8a691a30cf1da6379e8ff

SHA1
a8d8c1d0a67030061cd277df0d84150a48b66227

SHA256
72463a2a38825804b4ff0d9853102e2c85c160fb2b312508dd147c4149dca574

SHA512
3871d816cce0a53e839a9f7eabc5c95a323ca13fbaf2a6aeb5fafae8d3ad332404f36cf09e1bc6047a3bccd4743d6ce09bed561db334cd832b3cee97c3425dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

Filesize
221B

MD5
02e9674d8c78eb491f88444bbb4ed9ea

SHA1
f29890b916165b758ac81c025b5683931ffe5ab9

SHA256
0055cd78b315ae1d6033e7040bbf1db58dfab18d1fc5e862c9cc9eae6afe49de

SHA512
a963cca3ebf85917b896030f561782a1d765b4fe82b3fcdcd0cfd633e7e71e80734348fa78a878c3cb979c97ad014887b2b98203ccc7e2b720d6eed8b15d8986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
221B

MD5
fde34f58e2408c499cc64add4ecb4af0

SHA1
6e80fad4a9806b5c53ed6193a9e1328a80e40346

SHA256
d3f3795c5f2e636b3eab4806eec12537cd57c1295e0c2e41e330bdf527e7f3b6

SHA512
3cdfb494a500eb1efe8c05bec9b23313f7510d2df6f65c6bc633bbe86e6ca76591bf111dd75c93786ba9f53cb69bfcb3f0e7395e53101f175e5f65466e79ef0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
221B

MD5
9c67e16f1aeb13a759d836a328753c51

SHA1
8f595b0d83668a3d086ca500c0a45f749ed813b9

SHA256
11a7273a5089325971c7ac0c8a60ca3ead1d7904814108d0fdf4aff75fd49ecc

SHA512
dab9fb655c172c197f42bd9efc217ef18193902957e31cd8934e85399605cedb24dc964cae3a8d521db37178a8d50a396152800ccefe6447deff86d15d544e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkkmiKW5TD.bat

Filesize
221B

MD5
18cc52fba07c32401a68dfb834dd281b

SHA1
edf2a2f992bbecbfca9e7324495a532e7083e045

SHA256
0efebe09ef3661233ac810522c7c3051de268d8ab2a03c80724a75dbdef0e6ec

SHA512
138041df669c4973c09646cf0c4c25a2a03b584f4aa3069387dbdebe577d431d7af0f57440fc58c1f98fa971ed652f9235f86b668b73f35c097ec60680cb7175

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
221B

MD5
ab5ff8d7844d3e423a10e82b7e9c04c8

SHA1
d6b0b909626dbe0c26fe19b1a95dcfbccc4818e5

SHA256
836603e7ca17bb378375922a4718bf795ea50a523cb55185228ae10907f59f79

SHA512
922f011242e95d3e84daee5429705e0c9cd58728f3e3e5ea889d32f9fdd046a2f57bfd6e5e10b423ce3e55b984b6ad5cb4a07cbcd3212bcd5bcc053febea682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
221B

MD5
496a7326e1e2044f40bbc39832f220d9

SHA1
18c77850b656dacba39e9859741a79c5ee0c19f8

SHA256
21878801ec66c4e98412ce05505de71c7e66565f7887995527a39a5c0122b898

SHA512
36cfde5e6907984101e25dd8fed4d09f3abfb302f791ed6793cb0bba9e043fed790e942d0a9931ff7adc9dcf4fe80e6c2c9632e15faba7d06358a67c46d972e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
221B

MD5
d7e2c0778a6dd8635a93bbe216e6ae1a

SHA1
0eab6a230426a82e8972a776ea5cc4ae8614b892

SHA256
fcb587f8ed89a395b40a9ec7f84f3f9935a07ff9403ee24ae1a96de6b9275943

SHA512
a1054378e8673306535b7d5c686ad1c232310a0e5e0f7974f6936f38e3e9462326ea67de444058631baa693ddb69860e726a226381296abbb1a6ed1ed1be0683

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
221B

MD5
1f54ca7669ce9be8ad73476c3a0d5980

SHA1
bce3def8c0c67148fd190e813efa253eea203ded

SHA256
252cc3d44f01d1ec7651c60b950f2656256e4375169b0dad6ad486ea0757c540

SHA512
83512a8e63eb0eabe1ca65b1a5ab82ed9b52a85d096f82950ddb3bc11afae06a77a6c9c0aec285249b64d42b4fb7899fd48ef9bf077f1c61b0470a65662c9614

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
221B

MD5
b3aa373c76edcde4e3bb7ec14e0019e1

SHA1
f4bf69712c408f0f6f7cc2a12a83d3b528bb574b

SHA256
dcd60947c8eec05477f8dee8b08a2e16c78a536d6257dbf3a3a90b8d733e6307

SHA512
55218e1a7c8b7396bef8c82e784fa6c34ad27cc206d4558379244275d3216125f9e81282ec15e706c5b43cd31f3f43b13fbb6768bf0889ad2fe31ff05422a59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
221B

MD5
04697aabcc5195c984e498dd44388aa0

SHA1
daec3706e9ad8082f46de75c2f449fb8bcbad3b7

SHA256
b42ca88bc9840577835a318f58b99b90787a5d851522e7f8da166912049e8396

SHA512
d5c4b994487695f18e9e837089f2961644fa9f72348d41886a1f154bdb245d5b3fb1b41f14656f1b0cbfee28b72e2538f30c6fd998878db5aa928a5f175a6404

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

Filesize
221B

MD5
618b8a95847c48296c6b0f9db45d10b3

SHA1
18f8a06405ca5bff77339bb960ed8f4cbd124fe7

SHA256
270d7d487d80cdba3ecae136eb3f0ae6c92cb6605caea5ce69060a8de2697938

SHA512
09a00b5ca4a21d0de2b7d7a0ee5757b803f35283b703c46acd380fe4eba5bf84c87433ff27255ac090d8f0d531e479a53136e3176d006b1ae2f5d91185b57d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
221B

MD5
a4f6ee8b1c2e566fc8d474a414f796d4

SHA1
3d985f6710fab51f641705f8fa8582bf64ec68ee

SHA256
17a5b416ab032fb21923577a03449b94d43b63115634007d79fb39444b44c19f

SHA512
61a36ba9d3aa08a477ecb896d0ff6ca842daaedfeedbbaf3930d14a7cbcff3085f20e019ea6f95793f5373da64980cfe693bd69a17622771d62b9c599ee52533

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
221B

MD5
1171063286cd48c5268dc6b11cef7161

SHA1
b01780130b2e14d95c90a20d434a9ca8580243e7

SHA256
fd24e5921a1c6f1728cccded9b693a30c98e0b600531e1e08b156741105c9f39

SHA512
e4b96e54d721b53f58517c429739cdb83a059d710c8da6ab4140ed7af13235ae9c8de4876db11775bdcd49e86ec840b06aef1d0ba4a9cd5b62c482987dda437c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
221B

MD5
7222939d2eb052b3e20ea5a4ec9de1f3

SHA1
3f06024d3f8d455b34a1c73277902a23249f606f

SHA256
eebc549b8f6211a3b6e32d8650043a11511e9a3a696a4932adfb82d4a9fd9e5d

SHA512
9a70b1869b005292ae3bdc0ffe95ab1495530353d5c1b0413188a78dadb9a062559959e6cb147327d79ec3b4f92f46d07f6d6a64cbfe3eef2c0a6a665b1120f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
221B

MD5
4201754479fc29b889ff60b9e4262de9

SHA1
cb971eb43f0486ce588c871b91a643d87ae44199

SHA256
ecf85941a5661596645a4e7109af9a23064c0f76c9c0800efc4bb88e5503a157

SHA512
f9f244b894f4ce16ea1ed84430e66fce9b17bb038c2388daf2ba4a8c8a9450af16bc7d3727417d14f4f326a1b38ee9b3f4c50421e4d3be57f59d357e75644233

Download Submit
C:\blockportPerf\8NgAaSzS.bat

Filesize
33B

MD5
129edcab253879180520a89894a75a65

SHA1
0757b18d5ac0e84303aefbf6873fee3f986008af

SHA256
589907f4666f0ef1c2be88ce6ecf69ba91aa109d9e7f02563e3f8d49e5b38c7a

SHA512
87417310af71b5bac41f744c438c89a14add86ad2dbcc92af1c56ebc77c1b427b78bce9fd5bbe3a7149d39b4a551cd2c7f3027841684cb41f120c98a756cc3cf

Download Submit
C:\blockportPerf\msHyperwin.exe

Filesize
828KB

MD5
eb50118d9bc9039a4621a53c99f7cba6

SHA1
60e0072e6d2da16d798115051c78b39d0b612da4

SHA256
0bf3dd8cbac480d92c5a0dc3e57d4fc3dcc39e728a35706d6c01ef5b6d194bfa

SHA512
d40f27a12cb4c3ca3beca7cbf4b51e178ab779841494fb755e0d609656fbd0782fc41313ec6956dcfc754a0ee7b43456f7b95a334372020081be868d82f0a552

Download Submit
C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe

Filesize
198B

MD5
be713fe492452bddabb6fb4bde0296f5

SHA1
b28b6b2c6efe00e6c81dd684248d4113e982308c

SHA256
d5242705fd1f4f9f43d7e27c99a099053e5c17179ad5be934c8b4d8962990b68

SHA512
25af67b34aca8ee054727f1715ae00a6a3c5fc0dcdee98baf283463e3ecc016548688e36f7e277671487bdc64c63773c5e9695935b18e127081d8cdd45298344

Download Submit
memory/3332-13-0x00000000007F0000-0x00000000008C6000-memory.dmp

Filesize
856KB

Download
memory/3332-12-0x00007FFCABE73000-0x00007FFCABE75000-memory.dmp

Filesize
8KB

Download