dcrat | 6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9

Analysis

max time kernel
143s
max time network
142s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe
Size

1.3MB
MD5

69317a2bd7d7f4a302929667f95e69f8
SHA1

d86e2df29bedf0690e741ff3460289618272bd32
SHA256

6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9
SHA512

fcb8f90c18cb1b4e496e6091d7ddfe97a6326f2e7a1519719305f58d276759c34d31842c37d56e7959f7ccb25ee12163cc8f7e962685cc641eccd16aad4fc697
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3348	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac17-284.dat	dcrat
behavioral1/files/0x000900000001ac17-285.dat	dcrat
behavioral1/memory/4976-286-0x00000000005B0000-0x00000000006C0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac22-514.dat	dcrat
behavioral1/files/0x000600000001ac22-515.dat	dcrat
behavioral1/files/0x000600000001ac22-550.dat	dcrat
behavioral1/files/0x000600000001ac22-557.dat	dcrat
behavioral1/files/0x000600000001ac22-562.dat	dcrat
behavioral1/files/0x000600000001ac22-567.dat	dcrat
behavioral1/files/0x000600000001ac22-572.dat	dcrat
behavioral1/files/0x000600000001ac22-577.dat	dcrat
behavioral1/files/0x000600000001ac22-583.dat	dcrat
behavioral1/files/0x000600000001ac22-588.dat	dcrat
behavioral1/files/0x000600000001ac22-594.dat	dcrat
behavioral1/files/0x000600000001ac22-599.dat	dcrat
behavioral1/files/0x000600000001ac22-604.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4976	DllCommonsvc.exe
2188	dllhost.exe
5056	dllhost.exe
4144	dllhost.exe
3180	dllhost.exe
4868	dllhost.exe
2708	dllhost.exe
1284	dllhost.exe
3864	dllhost.exe
4748	dllhost.exe
2200	dllhost.exe
1404	dllhost.exe
4560	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Videos\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4308	schtasks.exe
3536	schtasks.exe
4836	schtasks.exe
4672	schtasks.exe
4260	schtasks.exe
5108	schtasks.exe
4236	schtasks.exe
3092	schtasks.exe
4840	schtasks.exe
4016	schtasks.exe
3408	schtasks.exe
3344	schtasks.exe
4012	schtasks.exe
4820	schtasks.exe
4800	schtasks.exe
4720	schtasks.exe
4872	schtasks.exe
4752	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
380	powershell.exe
4768	powershell.exe
4664	powershell.exe
4456	powershell.exe
380	powershell.exe
512	powershell.exe
4664	powershell.exe
1012	powershell.exe
4420	powershell.exe
512	powershell.exe
380	powershell.exe
4664	powershell.exe
4420	powershell.exe
4768	powershell.exe
1012	powershell.exe
4456	powershell.exe
512	powershell.exe
4768	powershell.exe
4420	powershell.exe
1012	powershell.exe
4456	powershell.exe
2188	dllhost.exe
5056	dllhost.exe
4144	dllhost.exe
3180	dllhost.exe
4868	dllhost.exe
2708	dllhost.exe
1284	dllhost.exe
3864	dllhost.exe
4748	dllhost.exe
2200	dllhost.exe
1404	dllhost.exe
4560	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	DllCommonsvc.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeIncreaseQuotaPrivilege	380	powershell.exe
Token: SeSecurityPrivilege	380	powershell.exe
Token: SeTakeOwnershipPrivilege	380	powershell.exe
Token: SeLoadDriverPrivilege	380	powershell.exe
Token: SeSystemProfilePrivilege	380	powershell.exe
Token: SeSystemtimePrivilege	380	powershell.exe
Token: SeProfSingleProcessPrivilege	380	powershell.exe
Token: SeIncBasePriorityPrivilege	380	powershell.exe
Token: SeCreatePagefilePrivilege	380	powershell.exe
Token: SeBackupPrivilege	380	powershell.exe
Token: SeRestorePrivilege	380	powershell.exe
Token: SeShutdownPrivilege	380	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeSystemEnvironmentPrivilege	380	powershell.exe
Token: SeRemoteShutdownPrivilege	380	powershell.exe
Token: SeUndockPrivilege	380	powershell.exe
Token: SeManageVolumePrivilege	380	powershell.exe
Token: 33	380	powershell.exe
Token: 34	380	powershell.exe
Token: 35	380	powershell.exe
Token: 36	380	powershell.exe
Token: SeIncreaseQuotaPrivilege	4664	powershell.exe
Token: SeSecurityPrivilege	4664	powershell.exe
Token: SeTakeOwnershipPrivilege	4664	powershell.exe
Token: SeLoadDriverPrivilege	4664	powershell.exe
Token: SeSystemProfilePrivilege	4664	powershell.exe
Token: SeSystemtimePrivilege	4664	powershell.exe
Token: SeProfSingleProcessPrivilege	4664	powershell.exe
Token: SeIncBasePriorityPrivilege	4664	powershell.exe
Token: SeCreatePagefilePrivilege	4664	powershell.exe
Token: SeBackupPrivilege	4664	powershell.exe
Token: SeRestorePrivilege	4664	powershell.exe
Token: SeShutdownPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeSystemEnvironmentPrivilege	4664	powershell.exe
Token: SeRemoteShutdownPrivilege	4664	powershell.exe
Token: SeUndockPrivilege	4664	powershell.exe
Token: SeManageVolumePrivilege	4664	powershell.exe
Token: 33	4664	powershell.exe
Token: 34	4664	powershell.exe
Token: 35	4664	powershell.exe
Token: 36	4664	powershell.exe
Token: SeIncreaseQuotaPrivilege	512	powershell.exe
Token: SeSecurityPrivilege	512	powershell.exe
Token: SeTakeOwnershipPrivilege	512	powershell.exe
Token: SeLoadDriverPrivilege	512	powershell.exe
Token: SeSystemProfilePrivilege	512	powershell.exe
Token: SeSystemtimePrivilege	512	powershell.exe
Token: SeProfSingleProcessPrivilege	512	powershell.exe
Token: SeIncBasePriorityPrivilege	512	powershell.exe
Token: SeCreatePagefilePrivilege	512	powershell.exe
Token: SeBackupPrivilege	512	powershell.exe
Token: SeRestorePrivilege	512	powershell.exe
Token: SeShutdownPrivilege	512	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeSystemEnvironmentPrivilege	512	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3532	2184	6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe	66
PID 2184 wrote to memory of 3532	2184	6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe	66
PID 2184 wrote to memory of 3532	2184	6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe	66
PID 3532 wrote to memory of 4608	3532	WScript.exe	67
PID 3532 wrote to memory of 4608	3532	WScript.exe	67
PID 3532 wrote to memory of 4608	3532	WScript.exe	67
PID 4608 wrote to memory of 4976	4608	cmd.exe	69
PID 4608 wrote to memory of 4976	4608	cmd.exe	69
PID 4976 wrote to memory of 4768	4976	DllCommonsvc.exe	89
PID 4976 wrote to memory of 4768	4976	DllCommonsvc.exe	89
PID 4976 wrote to memory of 4664	4976	DllCommonsvc.exe	92
PID 4976 wrote to memory of 4664	4976	DllCommonsvc.exe	92
PID 4976 wrote to memory of 380	4976	DllCommonsvc.exe	90
PID 4976 wrote to memory of 380	4976	DllCommonsvc.exe	90
PID 4976 wrote to memory of 4456	4976	DllCommonsvc.exe	97
PID 4976 wrote to memory of 4456	4976	DllCommonsvc.exe	97
PID 4976 wrote to memory of 4420	4976	DllCommonsvc.exe	96
PID 4976 wrote to memory of 4420	4976	DllCommonsvc.exe	96
PID 4976 wrote to memory of 512	4976	DllCommonsvc.exe	94
PID 4976 wrote to memory of 512	4976	DllCommonsvc.exe	94
PID 4976 wrote to memory of 1012	4976	DllCommonsvc.exe	99
PID 4976 wrote to memory of 1012	4976	DllCommonsvc.exe	99
PID 4976 wrote to memory of 1888	4976	DllCommonsvc.exe	103
PID 4976 wrote to memory of 1888	4976	DllCommonsvc.exe	103
PID 1888 wrote to memory of 4384	1888	cmd.exe	105
PID 1888 wrote to memory of 4384	1888	cmd.exe	105
PID 1888 wrote to memory of 2188	1888	cmd.exe	107
PID 1888 wrote to memory of 2188	1888	cmd.exe	107
PID 2188 wrote to memory of 2184	2188	dllhost.exe	108
PID 2188 wrote to memory of 2184	2188	dllhost.exe	108
PID 2184 wrote to memory of 4324	2184	cmd.exe	110
PID 2184 wrote to memory of 4324	2184	cmd.exe	110
PID 2184 wrote to memory of 5056	2184	cmd.exe	111
PID 2184 wrote to memory of 5056	2184	cmd.exe	111
PID 5056 wrote to memory of 2248	5056	dllhost.exe	112
PID 5056 wrote to memory of 2248	5056	dllhost.exe	112
PID 2248 wrote to memory of 4576	2248	cmd.exe	114
PID 2248 wrote to memory of 4576	2248	cmd.exe	114
PID 2248 wrote to memory of 4144	2248	cmd.exe	115
PID 2248 wrote to memory of 4144	2248	cmd.exe	115
PID 4144 wrote to memory of 4004	4144	dllhost.exe	116
PID 4144 wrote to memory of 4004	4144	dllhost.exe	116
PID 4004 wrote to memory of 2088	4004	cmd.exe	118
PID 4004 wrote to memory of 2088	4004	cmd.exe	118
PID 4004 wrote to memory of 3180	4004	cmd.exe	119
PID 4004 wrote to memory of 3180	4004	cmd.exe	119
PID 3180 wrote to memory of 4460	3180	dllhost.exe	121
PID 3180 wrote to memory of 4460	3180	dllhost.exe	121
PID 4460 wrote to memory of 760	4460	cmd.exe	122
PID 4460 wrote to memory of 760	4460	cmd.exe	122
PID 4460 wrote to memory of 4868	4460	cmd.exe	123
PID 4460 wrote to memory of 4868	4460	cmd.exe	123
PID 4868 wrote to memory of 2068	4868	dllhost.exe	124
PID 4868 wrote to memory of 2068	4868	dllhost.exe	124
PID 2068 wrote to memory of 2552	2068	cmd.exe	126
PID 2068 wrote to memory of 2552	2068	cmd.exe	126
PID 2068 wrote to memory of 2708	2068	cmd.exe	127
PID 2068 wrote to memory of 2708	2068	cmd.exe	127
PID 2708 wrote to memory of 4680	2708	dllhost.exe	128
PID 2708 wrote to memory of 4680	2708	dllhost.exe	128
PID 4680 wrote to memory of 1652	4680	cmd.exe	130
PID 4680 wrote to memory of 1652	4680	cmd.exe	130
PID 4680 wrote to memory of 1284	4680	cmd.exe	131
PID 4680 wrote to memory of 1284	4680	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe
"C:\Users\Admin\AppData\Local\Temp\6ce171c70c52d08b43b7f6bd0847c4fe29147d2eb7e88d642993d1bd5ff349b9.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7LKVJdnvO.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4384
      - C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4324
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4576
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2088
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:760
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2552
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1652
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
        19⤵
        
        PID:4924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3868
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        21⤵
        
        PID:3172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2680
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
        23⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4320
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        25⤵
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4316
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        27⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3968
        
        C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe
        
        "C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d14ec866e8d5402e0fd531b2f7ca91bd

SHA1
8bc901016f434a122a4a9d47531c4ddf285a27e6

SHA256
2d82c355f7866c813181162e9ed5ca940cde344d0d9536aef5d89c55c6f780cc

SHA512
dba5533d02731bb6335df51d4eb27d13ba097f990ebc1b366905fa0c3cae5d314531b415d29ffae0a8a812db02b45adb357d3e93eba5efee08b613fec93a730c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
574e925af57e87ff89755c31fcdf9ba6

SHA1
49f200dc36f211070ebc1d0c2bb96e9e01c5fc42

SHA256
2d595a4b9eafb3d34c77618b570e8ef14371c00cc053f405bf634a21dc635ad4

SHA512
3e549b8f258e910b51037ae057e6eef77dfabd25fdecf1a44f790fec610fbbd67377a6e7bf6e1dcd395fe9a3a0cff7ed123758c9e55248690588208a9be4e3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
535b47e697d8c32d5c2903c9697c1c23

SHA1
d715245838c2bdfcce3cf81f35d54889043599a3

SHA256
031145b856f77d9f9fde0127edaf9faabb1f46fc1f3ef926b66b7219f0d39818

SHA512
6e01761c494117f095783f33ab0acbe676c6f45a59f402649c2c8fd07f036fb6df6bf5cfc8a46e3fc0d0cfd384b78e9f4eb6839893f2e213f102cac7bb099c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
535b47e697d8c32d5c2903c9697c1c23

SHA1
d715245838c2bdfcce3cf81f35d54889043599a3

SHA256
031145b856f77d9f9fde0127edaf9faabb1f46fc1f3ef926b66b7219f0d39818

SHA512
6e01761c494117f095783f33ab0acbe676c6f45a59f402649c2c8fd07f036fb6df6bf5cfc8a46e3fc0d0cfd384b78e9f4eb6839893f2e213f102cac7bb099c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
535b47e697d8c32d5c2903c9697c1c23

SHA1
d715245838c2bdfcce3cf81f35d54889043599a3

SHA256
031145b856f77d9f9fde0127edaf9faabb1f46fc1f3ef926b66b7219f0d39818

SHA512
6e01761c494117f095783f33ab0acbe676c6f45a59f402649c2c8fd07f036fb6df6bf5cfc8a46e3fc0d0cfd384b78e9f4eb6839893f2e213f102cac7bb099c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
9afc08b5ba38c8cd49dba8a796c7224c

SHA1
aa23651a8a6ae77fa11efb92edb2db834371b1ae

SHA256
1f020bf3d8bd0e717cd27a10c663e154b1b49cba4a9ab235d2c21fdbe964baaf

SHA512
ed8b961b5a76cf00c948dbefdc536f6f2039b2fc40fccb8c8a625526e461e788a288f6b746f8feb3578be74499282708bdd0cbf5a32fafae01986ddc12957c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
225B

MD5
672837b0b3ff950173fe71ca1100401b

SHA1
9891cfba251ff017e03670c02186c43b287b143f

SHA256
589cef6c0994a8cdb204e33c92874fd3d656fe16613932c29e0abe2db571fe31

SHA512
84165155be385f77ba51f3cdf38aad3771ba5a67cf0804623d26f5ec23e18166349aa827c2d55ebc0ba6f0237433c26cb09db79adbfd080da0093fd4b1017c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
225B

MD5
fe754bccaca1ebeb79ab8673e8023dfa

SHA1
830029e1720ba78ca1deb8fa19e758151c2f219f

SHA256
e9e1f7cc9c3f1b1c8a408fa61951fcf2675f2d41d7cb396260a369c688ff732f

SHA512
4042b991230fe47da51f3e5e3a0995bc29a6f8dd2072093a51a0b57d58a1643f6ae720176e079f81b65bddc262fe932e1b0cd3b5fb98b5339bb39410786bd3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
225B

MD5
19065fc1777980ded64483385261b39c

SHA1
eb1f01e3eb14bd6b8b4efe6e3d91f2d3709199e4

SHA256
2c031e36eccb54329a6ee6e7cc21a9282358712f4ef002cbf0f47c3e19450051

SHA512
947005c73a0996b547e3929c5cb712af8553d785d2c266ff0b1a95f82e0b1a8643eed4523623c410334badba609124495f9645b0c61c5c5a5775cd5abf17ccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

Filesize
225B

MD5
b3d00936513408a071dddf328da2b9bc

SHA1
02ff400c0f19c873d89690fc96b13df9e6bd6760

SHA256
ad5629b2673c4101112845d42d6155bc2216d835886efd66e285eb600a9670c2

SHA512
fc66eede059bc274071454331406250d72b9ef9425b27bee9cfa92b44504398b31f8e573b4ec1a683978d914abd3e66f43ebebd7db1a15691b90437a15d2e331

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
225B

MD5
81504e80760fe7ef9304986c6429abf9

SHA1
8b19789615b261357eab753bb4e8d3512c322704

SHA256
bce70c9dab24e37ccaec62f347c6f2654e56634d177ba7ad56bd1b5bcec1e419

SHA512
c94cb71ba443d098ea9264f2f9c2b5b8e417a91b8be163105de7668560e09397fea44e4ee5e36bc5c6e587c55f07fac1f003d1656a412042bf387e46f0de8f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
225B

MD5
176add01dc9b7a2bc672f29ee2196100

SHA1
e14a06c69afcdc1aace28ada8d075a55ea0dd14c

SHA256
5bbfad35bdf2ef06b10e9d31bf95d0ea695964ba82aae84debd19601b8f996d7

SHA512
538aec933f0ce3c927f2b0642e2942e3e27faff0422911b7c4eef02620a42fbcd3947fc7145049688031ec6fe3192200a426fb7908510350e41b542f9d682f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
225B

MD5
d8c365915c7ee9752abf5e0f7673c526

SHA1
d2832958fd9fd5781f9271b4cb25872d3438e37b

SHA256
2e16ee6d08c32143eca4b0f0f99888629ccbf1f4868f38d82c2e3179b90be461

SHA512
6246eb9e709fde8b30782a6b7d4b26a17a9959d7f6d52f0dac65587d86b5320ec729f45da3a49af07b2b039917d2bd4c11ff6f5beeb7eb023ce386d01eccf7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
225B

MD5
2d9df5d94e41f501f9a50ff666cc7fa8

SHA1
849714fbb3de3efbaae7398e784e9cdd4438d055

SHA256
736c1dd0f6470c06e07326715e77f18314b2b6e5eee3cfb54f3ac32d6e75ab6a

SHA512
cfae7d436f381447404215e645128a60dfad4dd921de4811fa2c06eb12a67c3046d9fdc95e8730e48985631b1e35d50e3be8ae4a390da39156d88318a055dce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7LKVJdnvO.bat

Filesize
225B

MD5
8aac51d1f7ebafe6977aab5cd154b5af

SHA1
c0778baf77aa6c0689b140e2aae135b5dd5cd0a1

SHA256
2c4b1fa05f7b6c333fd57a8aec85d4e3f31eb52b34026aec971af7c53ebd5390

SHA512
8be49905701b27d21e926efa601047b5f7e288bd93fe2417ea4f1376f810c0a21cfc89e235f55eb7707599eced32fe61418a34e8d1323804fb9fc756e51cf3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

Filesize
225B

MD5
7183d0b3f561a976046e5191c5ca38dc

SHA1
120de6bace5eded7661d37f6d8a1f4f1545bb91a

SHA256
f0e053491900361b5f4600d63da436d067db1e04f07c1759e5412fc6e96e4962

SHA512
36adc1bdece7fca913533e931ab3e75612d08d3dfa8e260dfa9434fe551e3183571a83c0150ec7e4dffb81ed910e668c373fedd257b0233abdaecdc71fda1255

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
225B

MD5
712b465aabe022dee928caf08ef76eb7

SHA1
65e94b7ff337a8bcaf14a9ff614b2af8d89c140c

SHA256
ba526d986e464a251338246ad2c729ff42d3b9a625736a9cc129379fe64b7c6c

SHA512
cf39f9a67357a9b57787be62deb5437fb754e5a85d73ae68c0140e1b790639c4f9b7a61b00d5544a8a4df268221bcf081235756abc99d4c4273ba04b8932e4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
225B

MD5
b1ff0b845ae9888acc01e7d4719994fc

SHA1
b40502d2a3f9b680f53878931459e26fc6b254a7

SHA256
6e5758ac9568f8b76199f5a8ffdf8f7837747f578f136dfc5748474fc091e6c2

SHA512
e4344d967532b92135e4a75f035d4f7dfb865e999ff4d0242d5e86495fbf040c8d0f098318ebbbc41b4131ce14c700bdeee9793f6ece0095d1391aec456aefdb

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Videos\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/380-330-0x0000017298620000-0x0000017298696000-memory.dmp

Filesize
472KB

Download
memory/380-327-0x0000017298340000-0x0000017298362000-memory.dmp

Filesize
136KB

Download
memory/1284-578-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2184-150-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-133-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-177-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-178-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-179-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-180-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-181-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-182-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-183-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-121-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-155-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-175-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-174-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-154-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-172-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-173-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-171-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-152-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-170-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-157-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-153-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-151-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-169-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-156-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-168-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-122-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-149-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-167-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-166-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-165-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-164-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-163-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-148-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-123-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-158-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-147-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-146-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-125-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-145-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-144-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-143-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-142-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-141-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-140-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-139-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-138-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-137-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-136-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-135-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-134-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-176-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-162-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-126-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-132-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-161-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-131-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-130-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-160-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-129-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-159-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-128-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-120-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-516-0x0000000001470000-0x0000000001482000-memory.dmp

Filesize
72KB

Download
memory/3532-186-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-185-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-589-0x000000001B130000-0x000000001B142000-memory.dmp

Filesize
72KB

Download
memory/4976-286-0x00000000005B0000-0x00000000006C0000-memory.dmp

Filesize
1.1MB

Download
memory/4976-287-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/4976-288-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/4976-289-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/4976-290-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/5056-552-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download