dcrat | fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe
Size

1.3MB
MD5

775dd71aaa703e4529a6c7942997f675
SHA1

c93470d385b911c919034cf881bdde1fe3550362
SHA256

fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97
SHA512

d9df56ebda0634c962fd2efd6678f9cec643677ee3521acdecfa87436293b0137fd97c1fe14f849f36e7d1f7426a5f2353d264897606b91bbdd427de8ac90b4a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2164	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2164	schtasks.exe	20

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0001000000022e00-137.dat	dcrat
behavioral1/files/0x0001000000022e00-138.dat	dcrat
behavioral1/memory/528-139-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/files/0x0001000000022e0a-149.dat	dcrat
behavioral1/files/0x0001000000022e0a-150.dat	dcrat
behavioral1/files/0x0001000000022e0a-180.dat	dcrat
behavioral1/files/0x0001000000022e0a-188.dat	dcrat
behavioral1/files/0x0001000000022e0a-195.dat	dcrat
behavioral1/files/0x0001000000022e0a-202.dat	dcrat
behavioral1/files/0x0001000000022e0a-209.dat	dcrat
behavioral1/files/0x0001000000022e0a-216.dat	dcrat
behavioral1/files/0x0001000000022e0a-223.dat	dcrat
behavioral1/files/0x0001000000022e0a-230.dat	dcrat
behavioral1/files/0x0001000000022e0a-237.dat	dcrat
behavioral1/files/0x0001000000022e0a-244.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
528	DllCommonsvc.exe
2100	dllhost.exe
4320	dllhost.exe
5024	dllhost.exe
692	dllhost.exe
1496	dllhost.exe
2436	dllhost.exe
3808	dllhost.exe
3748	dllhost.exe
4528	dllhost.exe
4328	dllhost.exe
1652	dllhost.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\images\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\images\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4184	schtasks.exe
4328	schtasks.exe
1348	schtasks.exe
1096	schtasks.exe
1068	schtasks.exe
4936	schtasks.exe
3396	schtasks.exe
2152	schtasks.exe
2716	schtasks.exe
4648	schtasks.exe
4948	schtasks.exe
3532	schtasks.exe
4068	schtasks.exe
4632	schtasks.exe
4692	schtasks.exe
2624	schtasks.exe
3696	schtasks.exe
3308	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
528	DllCommonsvc.exe
528	DllCommonsvc.exe
528	DllCommonsvc.exe
528	DllCommonsvc.exe
528	DllCommonsvc.exe
528	DllCommonsvc.exe
528	DllCommonsvc.exe
2452	powershell.exe
2452	powershell.exe
4608	powershell.exe
4608	powershell.exe
1708	powershell.exe
1708	powershell.exe
4716	powershell.exe
4716	powershell.exe
1972	powershell.exe
1972	powershell.exe
972	powershell.exe
972	powershell.exe
2732	powershell.exe
2732	powershell.exe
2100	dllhost.exe
2100	dllhost.exe
4608	powershell.exe
2452	powershell.exe
1708	powershell.exe
4716	powershell.exe
2732	powershell.exe
1972	powershell.exe
972	powershell.exe
4320	dllhost.exe
5024	dllhost.exe
692	dllhost.exe
1496	dllhost.exe
2436	dllhost.exe
3808	dllhost.exe
3748	dllhost.exe
4528	dllhost.exe
4328	dllhost.exe
1652	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	DllCommonsvc.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2100	dllhost.exe
Token: SeDebugPrivilege	4320	dllhost.exe
Token: SeDebugPrivilege	5024	dllhost.exe
Token: SeDebugPrivilege	692	dllhost.exe
Token: SeDebugPrivilege	1496	dllhost.exe
Token: SeDebugPrivilege	2436	dllhost.exe
Token: SeDebugPrivilege	3808	dllhost.exe
Token: SeDebugPrivilege	3748	dllhost.exe
Token: SeDebugPrivilege	4528	dllhost.exe
Token: SeDebugPrivilege	4328	dllhost.exe
Token: SeDebugPrivilege	1652	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2972	1780	fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe	82
PID 1780 wrote to memory of 2972	1780	fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe	82
PID 1780 wrote to memory of 2972	1780	fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe	82
PID 2972 wrote to memory of 3640	2972	WScript.exe	86
PID 2972 wrote to memory of 3640	2972	WScript.exe	86
PID 2972 wrote to memory of 3640	2972	WScript.exe	86
PID 3640 wrote to memory of 528	3640	cmd.exe	88
PID 3640 wrote to memory of 528	3640	cmd.exe	88
PID 528 wrote to memory of 2452	528	DllCommonsvc.exe	108
PID 528 wrote to memory of 2452	528	DllCommonsvc.exe	108
PID 528 wrote to memory of 1972	528	DllCommonsvc.exe	120
PID 528 wrote to memory of 1972	528	DllCommonsvc.exe	120
PID 528 wrote to memory of 1708	528	DllCommonsvc.exe	115
PID 528 wrote to memory of 1708	528	DllCommonsvc.exe	115
PID 528 wrote to memory of 4608	528	DllCommonsvc.exe	111
PID 528 wrote to memory of 4608	528	DllCommonsvc.exe	111
PID 528 wrote to memory of 4716	528	DllCommonsvc.exe	112
PID 528 wrote to memory of 4716	528	DllCommonsvc.exe	112
PID 528 wrote to memory of 972	528	DllCommonsvc.exe	116
PID 528 wrote to memory of 972	528	DllCommonsvc.exe	116
PID 528 wrote to memory of 2732	528	DllCommonsvc.exe	117
PID 528 wrote to memory of 2732	528	DllCommonsvc.exe	117
PID 528 wrote to memory of 2100	528	DllCommonsvc.exe	122
PID 528 wrote to memory of 2100	528	DllCommonsvc.exe	122
PID 2100 wrote to memory of 1068	2100	dllhost.exe	125
PID 2100 wrote to memory of 1068	2100	dllhost.exe	125
PID 1068 wrote to memory of 4952	1068	cmd.exe	126
PID 1068 wrote to memory of 4952	1068	cmd.exe	126
PID 1068 wrote to memory of 4320	1068	cmd.exe	128
PID 1068 wrote to memory of 4320	1068	cmd.exe	128
PID 4320 wrote to memory of 4456	4320	dllhost.exe	130
PID 4320 wrote to memory of 4456	4320	dllhost.exe	130
PID 4456 wrote to memory of 4360	4456	cmd.exe	132
PID 4456 wrote to memory of 4360	4456	cmd.exe	132
PID 4456 wrote to memory of 5024	4456	cmd.exe	133
PID 4456 wrote to memory of 5024	4456	cmd.exe	133
PID 5024 wrote to memory of 4352	5024	dllhost.exe	134
PID 5024 wrote to memory of 4352	5024	dllhost.exe	134
PID 4352 wrote to memory of 916	4352	cmd.exe	136
PID 4352 wrote to memory of 916	4352	cmd.exe	136
PID 4352 wrote to memory of 692	4352	cmd.exe	137
PID 4352 wrote to memory of 692	4352	cmd.exe	137
PID 692 wrote to memory of 60	692	dllhost.exe	138
PID 692 wrote to memory of 60	692	dllhost.exe	138
PID 60 wrote to memory of 1708	60	cmd.exe	140
PID 60 wrote to memory of 1708	60	cmd.exe	140
PID 60 wrote to memory of 1496	60	cmd.exe	141
PID 60 wrote to memory of 1496	60	cmd.exe	141
PID 1496 wrote to memory of 4392	1496	dllhost.exe	142
PID 1496 wrote to memory of 4392	1496	dllhost.exe	142
PID 4392 wrote to memory of 1216	4392	cmd.exe	144
PID 4392 wrote to memory of 1216	4392	cmd.exe	144
PID 4392 wrote to memory of 2436	4392	cmd.exe	145
PID 4392 wrote to memory of 2436	4392	cmd.exe	145
PID 2436 wrote to memory of 4280	2436	dllhost.exe	146
PID 2436 wrote to memory of 4280	2436	dllhost.exe	146
PID 4280 wrote to memory of 1152	4280	cmd.exe	148
PID 4280 wrote to memory of 1152	4280	cmd.exe	148
PID 4280 wrote to memory of 3808	4280	cmd.exe	149
PID 4280 wrote to memory of 3808	4280	cmd.exe	149
PID 3808 wrote to memory of 3188	3808	dllhost.exe	150
PID 3808 wrote to memory of 3188	3808	dllhost.exe	150
PID 3188 wrote to memory of 3156	3188	cmd.exe	152
PID 3188 wrote to memory of 3156	3188	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe
"C:\Users\Admin\AppData\Local\Temp\fa1bcbf0a0366ba429f57f5a6867522ca6596f6079448d64accc631b825c7f97.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4952
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4360
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:916
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1708
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1216
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1152
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3156
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
        20⤵
        
        PID:4564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2232
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        22⤵
        
        PID:4540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4820
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        24⤵
        
        PID:3656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:952
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe
        
        "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\images\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
240B

MD5
c40f8b47a3ef91abfea71dbc815afb83

SHA1
f62bbc2d9b1cacf8423f98e032391e5e2f2221f5

SHA256
e48c66a248b293b074e1dbc271c743128163181f2f15852f78a4a1545018d842

SHA512
89a77ada3ded8f2b0305d9585d14cba81b87e5b4798508ad43beb7a24feaf7396981fe2ad12aeff721042da60e423073e804e3478111a24a27891fecbcb5af92

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
240B

MD5
c40f8b47a3ef91abfea71dbc815afb83

SHA1
f62bbc2d9b1cacf8423f98e032391e5e2f2221f5

SHA256
e48c66a248b293b074e1dbc271c743128163181f2f15852f78a4a1545018d842

SHA512
89a77ada3ded8f2b0305d9585d14cba81b87e5b4798508ad43beb7a24feaf7396981fe2ad12aeff721042da60e423073e804e3478111a24a27891fecbcb5af92

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
240B

MD5
c40f8b47a3ef91abfea71dbc815afb83

SHA1
f62bbc2d9b1cacf8423f98e032391e5e2f2221f5

SHA256
e48c66a248b293b074e1dbc271c743128163181f2f15852f78a4a1545018d842

SHA512
89a77ada3ded8f2b0305d9585d14cba81b87e5b4798508ad43beb7a24feaf7396981fe2ad12aeff721042da60e423073e804e3478111a24a27891fecbcb5af92

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
240B

MD5
a643624e78e6a6ffc42cc7cdb60deaa8

SHA1
3cdc3c245b97788e35c2f323d8dfca4624f4492f

SHA256
807eef5b3ebb17ada748f568ddc6c989c209b26736d1c3308ff003b8d801e353

SHA512
2df41d637e8d0f46237fe70ccad803bce6dafea89e60bc5bdcfe52fac45253cb8943b63a2e6d5f1b0a57577fa876c5873e0e5a01bbddc4d0ef66df86ab55013a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

Filesize
240B

MD5
b78190e10cb608bbd5195fa2f7ab7cb8

SHA1
815677e8c22a43cfd8d0d70e7b90b9148e7e54a7

SHA256
f19eeb180f18d461738c0de5de8fe4fdaa1ca9997c92bf24f438aa554ac1bc7f

SHA512
28fe41a94fc99d3672ae31c36e7054b8bc30508931dc98727cd998d210e7458e0e5d279bd254ba97f1553e55861bd8a332318c004bbb6ea59404fc81c3d0d9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
240B

MD5
8ffcda1202529bbee2784579017b0360

SHA1
636519f6a2e4a07a629b5199e8ac4a45dfc92fdf

SHA256
e9144f04f1438ab7ebc9f5713f0ba77c703c290c6aaafac6968995f362909e41

SHA512
a8472a189ee94fb6ab1be7981986619031107351f168446d0a92fb8b01c03d329d9e27bf0b5ffc490f2f2b9a9a7ede1f3641b52cd1fe8dc99c85f0ab43743ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

Filesize
240B

MD5
21ccf81df577f371c6b6281fcb3dc659

SHA1
d2b5ac49a554bda0ad7b11d6d59026e41b3c9f6f

SHA256
c97decded2ebbe2303afd8e82ad7a0b74c3cfde62673b987ef62e9c6e4bbf6f2

SHA512
85f1a50cab24c3654178932f8812e2c00098cdeefeee1702ac61f279070113fc8044bbfedaccc87c4e9021859510aaf577fe43ad1bdc7e32abaf44ac2408ddf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

Filesize
240B

MD5
21ccf81df577f371c6b6281fcb3dc659

SHA1
d2b5ac49a554bda0ad7b11d6d59026e41b3c9f6f

SHA256
c97decded2ebbe2303afd8e82ad7a0b74c3cfde62673b987ef62e9c6e4bbf6f2

SHA512
85f1a50cab24c3654178932f8812e2c00098cdeefeee1702ac61f279070113fc8044bbfedaccc87c4e9021859510aaf577fe43ad1bdc7e32abaf44ac2408ddf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

Filesize
240B

MD5
570db7b6298be6e09fb00e2b13e6122d

SHA1
68435ff1340c291d2f9579ce1ad1280ae1187856

SHA256
0fd09b938e905f73e1b305381439c8a2a6d71f26b8f37e752ada395b300db453

SHA512
5cce47810a561101ac05bae7fe9938d437ed8916c335debcd01418fdf178934f6c01c74dd8fb4641ce9e65c73364ded926bcd4bdbba63682db3eced0ba173637

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
240B

MD5
78d17bdf26e22e9582a81a0ad0da8767

SHA1
5a2bc9242bdfd990d5cfe4738eda6dbb5441615f

SHA256
fd5a51f46dc095ce770d91e7a5f9481e7452be9f745cfbaa56c23a2eab0f02ff

SHA512
09be5e7d9a00d062df1353a0577503a84993d6aff96a0495e24fd84b737ff36a38a921ad669603c6a0d1e1b11e74e4bd2a0d2025a2deb568a493e90e26854952

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/60-197-0x0000000000000000-mapping.dmp

Download
memory/528-139-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/528-140-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/528-152-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/528-136-0x0000000000000000-mapping.dmp

Download
memory/692-194-0x0000000000000000-mapping.dmp

Download
memory/692-196-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/692-200-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/916-192-0x0000000000000000-mapping.dmp

Download
memory/952-241-0x0000000000000000-mapping.dmp

Download
memory/972-158-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/972-174-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/972-146-0x0000000000000000-mapping.dmp

Download
memory/1068-175-0x0000000000000000-mapping.dmp

Download
memory/1152-213-0x0000000000000000-mapping.dmp

Download
memory/1216-206-0x0000000000000000-mapping.dmp

Download
memory/1496-203-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/1496-207-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/1496-201-0x0000000000000000-mapping.dmp

Download
memory/1652-245-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/1652-243-0x0000000000000000-mapping.dmp

Download
memory/1708-156-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/1708-199-0x0000000000000000-mapping.dmp

Download
memory/1708-143-0x0000000000000000-mapping.dmp

Download
memory/1708-165-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/1972-154-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/1972-142-0x0000000000000000-mapping.dmp

Download
memory/1972-172-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2100-148-0x0000000000000000-mapping.dmp

Download
memory/2100-160-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2100-178-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2232-227-0x0000000000000000-mapping.dmp

Download
memory/2436-208-0x0000000000000000-mapping.dmp

Download
memory/2436-214-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2436-210-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2452-167-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2452-153-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2452-151-0x000002B5CCE80000-0x000002B5CCEA2000-memory.dmp

Filesize
136KB

Download
memory/2452-141-0x0000000000000000-mapping.dmp

Download
memory/2732-147-0x0000000000000000-mapping.dmp

Download
memory/2732-171-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2732-159-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2972-132-0x0000000000000000-mapping.dmp

Download
memory/3156-220-0x0000000000000000-mapping.dmp

Download
memory/3188-218-0x0000000000000000-mapping.dmp

Download
memory/3640-135-0x0000000000000000-mapping.dmp

Download
memory/3656-239-0x0000000000000000-mapping.dmp

Download
memory/3748-228-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3748-224-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3748-222-0x0000000000000000-mapping.dmp

Download
memory/3808-215-0x0000000000000000-mapping.dmp

Download
memory/3808-221-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3808-217-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4280-211-0x0000000000000000-mapping.dmp

Download
memory/4320-182-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4320-186-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4320-179-0x0000000000000000-mapping.dmp

Download
memory/4328-238-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4328-236-0x0000000000000000-mapping.dmp

Download
memory/4328-242-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4352-190-0x0000000000000000-mapping.dmp

Download
memory/4360-185-0x0000000000000000-mapping.dmp

Download
memory/4392-204-0x0000000000000000-mapping.dmp

Download
memory/4456-183-0x0000000000000000-mapping.dmp

Download
memory/4528-231-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4528-229-0x0000000000000000-mapping.dmp

Download
memory/4528-235-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4540-232-0x0000000000000000-mapping.dmp

Download
memory/4564-225-0x0000000000000000-mapping.dmp

Download
memory/4608-144-0x0000000000000000-mapping.dmp

Download
memory/4608-155-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4608-166-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4716-157-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4716-145-0x0000000000000000-mapping.dmp

Download
memory/4716-168-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4820-234-0x0000000000000000-mapping.dmp

Download
memory/4952-177-0x0000000000000000-mapping.dmp

Download
memory/5024-193-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/5024-189-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/5024-187-0x0000000000000000-mapping.dmp

Download