dcrat | 369fee29d5d28b92e18c413371a74421a66ae2df72ffd1931826a2f5965b5880

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2025, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StablePolaria/PolariaClientStable.exe
Size

1.2MB
MD5

93beba30961d66c4bf317a91e2ceab60
SHA1

5c394cf0254b1eebb9a978556ce6d94f8fced169
SHA256

da55b07483858fc038855e7aa1290036419f9dadb362c510951d20385106584d
SHA512

9a7ed86f099c7ab52357cc846e3d872bf4e9f33e3792e16395200e1c4cc9e0b491a94eb45430c202da50a4f2bdb23f0d7d2bcaa4aefe735996462f9789a0ae7d
SSDEEP

24576:O2G/nvxW3WY3h0KomE5c7JtTE/TWsO8Mxj:ObA3x3GKCuP3AMp

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2552	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b71-10.dat	dcrat
behavioral2/memory/3124-13-0x0000000000B70000-0x0000000000C46000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	msHyperwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	PolariaClientStable.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 27 IoCs

pid	Process
3124	msHyperwin.exe
3552	dllhost.exe
744	dllhost.exe
1516	dllhost.exe
2764	dllhost.exe
5076	dllhost.exe
1240	dllhost.exe
3948	dllhost.exe
1796	dllhost.exe
4316	dllhost.exe
1504	dllhost.exe
2124	dllhost.exe
1664	dllhost.exe
4512	dllhost.exe
4696	dllhost.exe
816	dllhost.exe
3304	dllhost.exe
4868	dllhost.exe
872	dllhost.exe
4876	dllhost.exe
2232	dllhost.exe
2728	dllhost.exe
3844	dllhost.exe
4060	dllhost.exe
2736	dllhost.exe
1792	dllhost.exe
3440	dllhost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\dllhost.exe	msHyperwin.exe
File created	C:\Program Files\Common Files\5940a34987c991	msHyperwin.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\35fa05764b5d3f	msHyperwin.exe
File created	C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe	msHyperwin.exe
File created	C:\Windows\GameBarPresenceWriter\55b276f4edf653	msHyperwin.exe
File created	C:\Windows\L2Schemas\msHyperwin.exe	msHyperwin.exe
File opened for modification	C:\Windows\L2Schemas\msHyperwin.exe	msHyperwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolariaClientStable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	PolariaClientStable.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
4200	schtasks.exe
2184	schtasks.exe
4216	schtasks.exe
4964	schtasks.exe
2172	schtasks.exe
4020	schtasks.exe
4532	schtasks.exe
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3124	msHyperwin.exe
3552	dllhost.exe
744	dllhost.exe
1516	dllhost.exe
2764	dllhost.exe
5076	dllhost.exe
1240	dllhost.exe
3948	dllhost.exe
1796	dllhost.exe
4316	dllhost.exe
1504	dllhost.exe
2124	dllhost.exe
1664	dllhost.exe
4512	dllhost.exe
4696	dllhost.exe
816	dllhost.exe
3304	dllhost.exe
4868	dllhost.exe
872	dllhost.exe
4876	dllhost.exe
2232	dllhost.exe
2728	dllhost.exe
3844	dllhost.exe
4060	dllhost.exe
2736	dllhost.exe
1792	dllhost.exe
3440	dllhost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	msHyperwin.exe
Token: SeDebugPrivilege	3552	dllhost.exe
Token: SeDebugPrivilege	744	dllhost.exe
Token: SeDebugPrivilege	1516	dllhost.exe
Token: SeDebugPrivilege	2764	dllhost.exe
Token: SeDebugPrivilege	5076	dllhost.exe
Token: SeDebugPrivilege	1240	dllhost.exe
Token: SeDebugPrivilege	3948	dllhost.exe
Token: SeDebugPrivilege	1796	dllhost.exe
Token: SeDebugPrivilege	4316	dllhost.exe
Token: SeDebugPrivilege	1504	dllhost.exe
Token: SeDebugPrivilege	2124	dllhost.exe
Token: SeDebugPrivilege	1664	dllhost.exe
Token: SeDebugPrivilege	4512	dllhost.exe
Token: SeDebugPrivilege	4696	dllhost.exe
Token: SeDebugPrivilege	816	dllhost.exe
Token: SeDebugPrivilege	3304	dllhost.exe
Token: SeDebugPrivilege	4868	dllhost.exe
Token: SeDebugPrivilege	872	dllhost.exe
Token: SeDebugPrivilege	4876	dllhost.exe
Token: SeDebugPrivilege	2232	dllhost.exe
Token: SeDebugPrivilege	2728	dllhost.exe
Token: SeDebugPrivilege	3844	dllhost.exe
Token: SeDebugPrivilege	4060	dllhost.exe
Token: SeDebugPrivilege	2736	dllhost.exe
Token: SeDebugPrivilege	1792	dllhost.exe
Token: SeDebugPrivilege	3440	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2992	2064	PolariaClientStable.exe	83
PID 2064 wrote to memory of 2992	2064	PolariaClientStable.exe	83
PID 2064 wrote to memory of 2992	2064	PolariaClientStable.exe	83
PID 2992 wrote to memory of 2368	2992	WScript.exe	85
PID 2992 wrote to memory of 2368	2992	WScript.exe	85
PID 2992 wrote to memory of 2368	2992	WScript.exe	85
PID 2368 wrote to memory of 3124	2368	cmd.exe	87
PID 2368 wrote to memory of 3124	2368	cmd.exe	87
PID 3124 wrote to memory of 3552	3124	msHyperwin.exe	99
PID 3124 wrote to memory of 3552	3124	msHyperwin.exe	99
PID 3552 wrote to memory of 5048	3552	dllhost.exe	100
PID 3552 wrote to memory of 5048	3552	dllhost.exe	100
PID 5048 wrote to memory of 3416	5048	cmd.exe	102
PID 5048 wrote to memory of 3416	5048	cmd.exe	102
PID 5048 wrote to memory of 744	5048	cmd.exe	104
PID 5048 wrote to memory of 744	5048	cmd.exe	104
PID 744 wrote to memory of 3212	744	dllhost.exe	105
PID 744 wrote to memory of 3212	744	dllhost.exe	105
PID 3212 wrote to memory of 2604	3212	cmd.exe	107
PID 3212 wrote to memory of 2604	3212	cmd.exe	107
PID 3212 wrote to memory of 1516	3212	cmd.exe	114
PID 3212 wrote to memory of 1516	3212	cmd.exe	114
PID 1516 wrote to memory of 4156	1516	dllhost.exe	115
PID 1516 wrote to memory of 4156	1516	dllhost.exe	115
PID 4156 wrote to memory of 4484	4156	cmd.exe	117
PID 4156 wrote to memory of 4484	4156	cmd.exe	117
PID 4156 wrote to memory of 2764	4156	cmd.exe	124
PID 4156 wrote to memory of 2764	4156	cmd.exe	124
PID 2764 wrote to memory of 3324	2764	dllhost.exe	125
PID 2764 wrote to memory of 3324	2764	dllhost.exe	125
PID 3324 wrote to memory of 4492	3324	cmd.exe	127
PID 3324 wrote to memory of 4492	3324	cmd.exe	127
PID 3324 wrote to memory of 5076	3324	cmd.exe	129
PID 3324 wrote to memory of 5076	3324	cmd.exe	129
PID 5076 wrote to memory of 2612	5076	dllhost.exe	130
PID 5076 wrote to memory of 2612	5076	dllhost.exe	130
PID 2612 wrote to memory of 4756	2612	cmd.exe	132
PID 2612 wrote to memory of 4756	2612	cmd.exe	132
PID 2612 wrote to memory of 1240	2612	cmd.exe	136
PID 2612 wrote to memory of 1240	2612	cmd.exe	136
PID 1240 wrote to memory of 4696	1240	dllhost.exe	137
PID 1240 wrote to memory of 4696	1240	dllhost.exe	137
PID 4696 wrote to memory of 3552	4696	cmd.exe	139
PID 4696 wrote to memory of 3552	4696	cmd.exe	139
PID 4696 wrote to memory of 3948	4696	cmd.exe	141
PID 4696 wrote to memory of 3948	4696	cmd.exe	141
PID 3948 wrote to memory of 5052	3948	dllhost.exe	142
PID 3948 wrote to memory of 5052	3948	dllhost.exe	142
PID 5052 wrote to memory of 3916	5052	cmd.exe	144
PID 5052 wrote to memory of 3916	5052	cmd.exe	144
PID 5052 wrote to memory of 1796	5052	cmd.exe	146
PID 5052 wrote to memory of 1796	5052	cmd.exe	146
PID 1796 wrote to memory of 4244	1796	dllhost.exe	147
PID 1796 wrote to memory of 4244	1796	dllhost.exe	147
PID 4244 wrote to memory of 1220	4244	cmd.exe	149
PID 4244 wrote to memory of 1220	4244	cmd.exe	149
PID 4244 wrote to memory of 4316	4244	cmd.exe	151
PID 4244 wrote to memory of 4316	4244	cmd.exe	151
PID 4316 wrote to memory of 4424	4316	dllhost.exe	152
PID 4316 wrote to memory of 4424	4316	dllhost.exe	152
PID 4424 wrote to memory of 2144	4424	cmd.exe	154
PID 4424 wrote to memory of 2144	4424	cmd.exe	154
PID 4424 wrote to memory of 1504	4424	cmd.exe	156
PID 4424 wrote to memory of 1504	4424	cmd.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\StablePolaria\PolariaClientStable.exe
"C:\Users\Admin\AppData\Local\Temp\StablePolaria\PolariaClientStable.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockportPerf\8NgAaSzS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\blockportPerf\msHyperwin.exe
      "C:\blockportPerf\msHyperwin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3416
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2604
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4484
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4492
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4756
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3552
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3916
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1220
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2144
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        24⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1716
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        26⤵
        
        PID:3740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1812
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        28⤵
        
        PID:4564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3308
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        30⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4384
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"
        32⤵
        
        PID:4060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2908
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        34⤵
        
        PID:4300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:3952
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        36⤵
        
        PID:4296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4128
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        38⤵
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2764
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        40⤵
        
        PID:4012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:4992
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        42⤵
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:2660
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        44⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:2952
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        46⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:2924
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        48⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:4628
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        50⤵
        
        PID:3652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:4908
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        52⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:1428
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        54⤵
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2992
        
        C:\Program Files\Common Files\dllhost.exe
        
        "C:\Program Files\Common Files\dllhost.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        56⤵
        
        PID:64
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\msHyperwin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwin" /sc ONLOGON /tr "'C:\Windows\L2Schemas\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msHyperwinm" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\msHyperwin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
206B

MD5
9fc361dfefc8d73f940a0c50b6cbc1b6

SHA1
10d26db036cc8986960fc731809119483bcd73a9

SHA256
229b209d1dcd6cfdac820228f32d5843ab74003072c69c8582ea01b993d3ac3e

SHA512
dcb3df751c62694c47dc8283d1a44fa274146b045d1fb11ec02e258dca033f02362d0cfa246731d7ecd7841c2902bd5790726a76b28ed656804a260cc764684e

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
206B

MD5
d970899b3ec3a86e12df2d33b3a19bf8

SHA1
f2488be659c027777f2d7298a722e2e832a84297

SHA256
f84430041b472102adbaa8e22d27300da5f6d0bc1b9e0d87c1346f92ac445eb5

SHA512
49d1f698aeef4d859537f4b24d63fcccde823f07ae5d38e4b7a76d63ac3f82df3f0c437660c2a6bb65e63750a6d7ae688017de851d2189a940350ca7c97e60c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat

Filesize
206B

MD5
1e4a3759c5b09ef3092c6ae4949b0b38

SHA1
6cdd562b3efbdeb280f95e2d105ad9d405d67bdd

SHA256
1cca9d7a7061cd08f077db05caaa0e7c7e6772b0bb2d9f61bba65c5ad7e10f44

SHA512
a83d7a6dadf80e4fb8e9122dc8f9dd3a8cacf94b518e0e67adce2c393683992d9608db41ec18a09391274c89dd210de56223787b2db585eba9b7e24717f5985f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
206B

MD5
66d9ed0ecad9b0d8b9377ca7daee7c6b

SHA1
615ad687fdb864fdf400d66e9702a86950efb5e0

SHA256
8bb3d067651f33a4c2cc1a3b911b9472325ba5b40c8179bc9fcab243cb452cc5

SHA512
bd331980bc0206a8c366bec7a3688a1ab6eec0a99c56fea29fa8f6fabc53321061173fe086902b590a239b906ce243581922b6a90ee57e012f3ee9a4e829090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
206B

MD5
00a7211ef33586cae31f0162d8668e74

SHA1
08491631f95cbf7f633f20a93951156afd4a9209

SHA256
468fa4eb26ed825ff46560c1f9f3de197edf496f7ddd82d792460b24fedf8d72

SHA512
fa0030c9e4b187bcab5cff0dfe236bae1097c810b780152d381d8a21b482e719781565d8abb7e1559b94261c5f8f7d83dfa5435f91b62a3ee713b2e667ad0186

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
206B

MD5
d1d4786aa00690b17d6e68d249b0f9d3

SHA1
57d2ceb104f1063c71a9b29e4d8b2480c34803ca

SHA256
599515c21c9eb1fcf2bc50c25bf710af6ebc070af636328407d7afce2af62058

SHA512
3666e82d03b7288af957dec526fae3c695cbd4c20b4c7481a56271b7474780a350f95f51240a12cdc5edc4bb299153c98b69d0391251e68c8ac4e0a46d4a5410

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
206B

MD5
1a9a23a8f80d3cee986e7d27b83bf523

SHA1
9d86d921e64ccf70dad253a2ad85694f2c06de51

SHA256
ea110490cdb3199c7a53748fb925244c686c7e403c8cdf9f99ae19e67bb52742

SHA512
d68e81fdff9f7439ff4bc7141bdd7a32d39aa6a3d508bdc1415e5f791089290465a97578a65bc249a5d88daeb04201e78b81d9fa9760eb6e3382bac74d634ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
206B

MD5
19b8327f94f3bc408acff361eec9b42b

SHA1
2fa63d295428a971ce8fafd86beb4e58921ee1ef

SHA256
e93514e0d7d8f1b11930ccc9dfbdd4adf3ad6706922cf5c6832c2c2d8f441504

SHA512
5bc7c5838f52463a6cf36f9836c203694ee1e13d88616e60fe3f307ce687c17d5d73e69e6026e199d1dbdcdd6d1bb96021892bc006cb803ce74c60eeee568a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
206B

MD5
daad7fb59592e93d72b24094863d2c9c

SHA1
b093486fc99452f1dff32e772d8f7613b98ce64c

SHA256
36de01cb264032139e7b9bd1316662deac891356c98e62356af0bb6bda0be457

SHA512
78421ddec7614d48352c85fb29ecca84f4444bd4c29a7d69ce1e09c113078df0c3f2280acd8cae75ef231a7c11d87fe3a604cd5a94b144b167122f4096c14a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
206B

MD5
7bb48cd70e77bf2937b82ba4415c06fd

SHA1
4d1a3f7abebff6b7f1c68558a2165dc0ae76a22e

SHA256
8f3509d77a56868f3972e94a9a770a606c16e133b14b2b52fd9bc0a764c33280

SHA512
c76e7377e30349cc7abe68db511f73269e2d37f8fe7c790b32c88e0fa8982720dc26184c48530ade51d4838960824d2f820d79c7ec14e7ae1c1d510ffa997380

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
206B

MD5
a3f62a6804b14215e34ef28d406b6313

SHA1
3a0b6e7b9a68900dba4497270ea7e5423cf9d42e

SHA256
d1be67a824f132ddc08e9a7b64018f748ec5271c40e2fb7b8666318d35ff7695

SHA512
119fa9a309b228db9c2d197a9f90159498186d4a7f574f31217ec8522188d3c00ac8de6cc28aa53ae30ac978dfd7bf59a072c7ccb10e4c3d6e8d343f414c9d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
206B

MD5
88cf8820c6a8a9c6e7d4a7dda6ba8bd7

SHA1
1d4ada3edf87e330c58e06d7638ccb3425171caa

SHA256
5134d79b9691ffe2ebe02cdfad9a8e9a4bbcf06b4b2d318822b9949df0abb919

SHA512
523ef1d2b80a636de31d541283f762d3d3bb9a8c0dae02b78abddc9a155283d1a809710b6d4fd475bd2563d172764ced586b041f5a64d2e98fa03b91f87c3388

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
206B

MD5
a9ae7c888290aaa6c47f94ca5d139b53

SHA1
d7c706da2ce0ce132fc51c5ec2238127d0d704e9

SHA256
97e140144564e319d4fff3691b2e0c72c273f72701bbb9d4be63c7bd5bef59e8

SHA512
8a215b3ed22b174988b2892cba576b8539e2a2fb8b08b26e936644e5109884f248eed9070aec6cb01c3a764be986f510905da1df86d4ddcd90311a0fb383fb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
206B

MD5
444b6d739060b1373c204df0ee2f9141

SHA1
c79dd7c67f9e8563be304e402863d91c2d08c4db

SHA256
f3b1b247aa3ae36b9ec49457df0d25b8941ecf9bfb3543620e70c94998746e5c

SHA512
240fc6a30f8c63cab445fa7786eb2dd8e9ee16ef98e39a2ae2d601e2a5c0827a0c4e3f8b15610758b5c75410a24b813f031c4315279bfcd0e1a593d87e63d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
206B

MD5
90cd0fb2120f793565203b37ffbcd591

SHA1
74bfb6387bf71c510b01543168fbf9a5dbda27e0

SHA256
36d8553d7a42518618f46ea66e7892cceb54e3e11947bb607c0ee17677bf0d6e

SHA512
db0d1f680de8894d5fd51b5e7d6684c0341e82afce4f4ed189505c0d19c4605ccf0252883f68191648cd8fb47a4de711df77b708e1cc420beaa3cc12eedde4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
206B

MD5
40f6a1c698891d30fdc4016600a99516

SHA1
f02a11e78d05f70bd6a766d02105f68ef644d48b

SHA256
1b02c5102167c21882fbf8aa6f0ea9ba71583d05eb5d01d0dab1f682a91d5636

SHA512
6bf58b680193d5da87bbcd3d0ca434be1520d624e06a4e50ec38937edd5a01579358138cc875d89f59a10aab2c75a8eb7b18dfceab607b841d124ad1ee1f8d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
206B

MD5
38cbafa947d33da556f765405968fbdd

SHA1
b6b2804b86b871069c40a94b5327aa3a1c5de3c2

SHA256
bf897128af0794162d72d7ef975d8b4fe2449d431a89a48f396efa6210741d01

SHA512
85222b692602e25d505e9098b67eb9ddb5fd684eecd540012eca85a68b6abee90d553a8e6e4a92cd6770ab0cf94d2e04023325a06e2ffe97b1819eaa94dc4fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
206B

MD5
6da60bd029969f5c84b6dc0f7b09b340

SHA1
0bb19019385ce8ec12a91617c3cb56f8815aa935

SHA256
6ab4413f66c6b02c5587277dee0b6b696cc7e922bf6c03ff6d05bb4f72eda690

SHA512
b6e7b5aad266b43df229af420c5271da4644d55bfcefeaced388b4bda7ac23913b7f10791b2bffb2984d6bbe3511d7431bf4fd2713a847b553bbfaccce9ba85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
206B

MD5
5215fce12577da771133b0441119a1c6

SHA1
2fec1f9eda612c47e54360b275e59ce3a5332cc6

SHA256
c5c1a9d96f58e525581d67a1ae159cd8f457c11c4c6a6201fd86612ecff2a42f

SHA512
92b7c24233d86332e047adbef6dc607f5365ed93dcbaa1303233be36309dd2d66da929d4190f5d8a5eb90934bae4bec898243f4d4c256580c56ed5e79277c57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
206B

MD5
4d0ae91ff6c85714c51cd21fa2953212

SHA1
a0174d69e2f32e15e8639f30c9de711c05d7e38b

SHA256
dca1de26b0fa5161cfdd88bb002cb4da96eb0679cdcf6f255db947113dd74d5a

SHA512
9658887c3dd81f1e76a70279171e7c45e4b79155f058bb4d0b9e125806ec53593762c07365dce02f6105f84b0def71a8db29908419a94a7f2b084815b5f4eb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
206B

MD5
e4b16e8b5ae03dca8219535a5a48de6c

SHA1
ae15eb01ca1b7cd63b3876b008bd134da308ee17

SHA256
bb6082b4a32fe5b6c936f97a5d17ec2c86af06bd76f6440ceecdcc5b9cdc48aa

SHA512
3f40a3c378dc290d37eaf6fcf00ca78509c28fd41ea832a754367c7c4046127a86212a377f77601a570504ced8bf6d215d83ebc17d61de44d0b090d39398ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
206B

MD5
1000410cceddba3c596bbd9a7e7bca56

SHA1
fbcbc46076aeef1c18dc898036b9dcc3bd42390a

SHA256
e6893018364f8263b67d3d3854720d44b07d4e8951815779b49b63d56ee8ca56

SHA512
e9db705f533d73b5efbb712a35a5a00b66590ff65bf3891446ee1919b4a2e29d360d33e3916484761b4b4374ccddc18bbb5b89916c00cb55bf745992e529ab80

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
206B

MD5
e91b05b5fd6bbbe2499726ea4fa248ef

SHA1
d30e41791c286a49a90a8ad0f4d717fe1f0a64fc

SHA256
278a01e588acd1c2bb1565caf832a3560bfc13ce64e51a23284e0c0123d552c3

SHA512
6c54babb3dedb628b3077b0ae04f325cdd4406995d5d45eba93d3338b5ddaacecddc28d03be23584c696d585845d3f83e7a37c057b4877368fb57df287040ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
206B

MD5
210fb7ec9cd9e24a2bbdd606a3f05cc0

SHA1
309c288e978b9248cc73994c5de89c25902d0f0b

SHA256
1e8ae0267ab7da36e0e631a2670cbd695c09b9d4977fa0eb8d6628a6e74fbdcf

SHA512
3405802336a08ebcd9ca6913168fc925d9d9258046fc99c75f518894175bc43f38f19d7def510a68eab1648cf18ee0663127b011dc2c5feb2f985867afdb8490

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
206B

MD5
0966354e8c9205499d8f38c6a08eae98

SHA1
ac717f1fd99cc629febc1c8adbe678d953ec7ec4

SHA256
8bcff38d0304e0e40018be7ca044157c66807fdef899986c4b1474387274fff5

SHA512
15d7679ca929d88c1d2efcdeaef48a03b6fe80e10ce1ff7125a4034f1b683a841ca3235d404a0c200aab8e7b7f6750e4a60bf10c088e0f764f6312acf0e7f241

Download Submit
C:\blockportPerf\8NgAaSzS.bat

Filesize
33B

MD5
129edcab253879180520a89894a75a65

SHA1
0757b18d5ac0e84303aefbf6873fee3f986008af

SHA256
589907f4666f0ef1c2be88ce6ecf69ba91aa109d9e7f02563e3f8d49e5b38c7a

SHA512
87417310af71b5bac41f744c438c89a14add86ad2dbcc92af1c56ebc77c1b427b78bce9fd5bbe3a7149d39b4a551cd2c7f3027841684cb41f120c98a756cc3cf

Download Submit
C:\blockportPerf\msHyperwin.exe

Filesize
828KB

MD5
eb50118d9bc9039a4621a53c99f7cba6

SHA1
60e0072e6d2da16d798115051c78b39d0b612da4

SHA256
0bf3dd8cbac480d92c5a0dc3e57d4fc3dcc39e728a35706d6c01ef5b6d194bfa

SHA512
d40f27a12cb4c3ca3beca7cbf4b51e178ab779841494fb755e0d609656fbd0782fc41313ec6956dcfc754a0ee7b43456f7b95a334372020081be868d82f0a552

Download Submit
C:\blockportPerf\xzo2bGgmPslNl7slz3g.vbe

Filesize
198B

MD5
be713fe492452bddabb6fb4bde0296f5

SHA1
b28b6b2c6efe00e6c81dd684248d4113e982308c

SHA256
d5242705fd1f4f9f43d7e27c99a099053e5c17179ad5be934c8b4d8962990b68

SHA512
25af67b34aca8ee054727f1715ae00a6a3c5fc0dcdee98baf283463e3ecc016548688e36f7e277671487bdc64c63773c5e9695935b18e127081d8cdd45298344

Download Submit
memory/3124-13-0x0000000000B70000-0x0000000000C46000-memory.dmp

Filesize
856KB

Download
memory/3124-12-0x00007FFDD2B13000-0x00007FFDD2B15000-memory.dmp

Filesize
8KB

Download