dcrat | 9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 03:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe
Size

1.3MB
MD5

5b72a4a651f45f97ddbee6b337cc1dd2
SHA1

be4bd3170e6edb71abfe754a108d8ff6338881d2
SHA256

9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3
SHA512

d5938e52490c8087c60d7c26aecf536e916aaee23ff367b4466c8d4b8bcdab54f96092ff9a0f7291602e43050d934080ad1f35947a0c2d7abe714cfd53240ff9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4432	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4432	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac24-284.dat	dcrat
behavioral1/files/0x000800000001ac24-285.dat	dcrat
behavioral1/memory/5104-286-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac31-472.dat	dcrat
behavioral1/files/0x000600000001ac31-473.dat	dcrat
behavioral1/files/0x000600000001ac31-478.dat	dcrat
behavioral1/files/0x000600000001ac31-484.dat	dcrat
behavioral1/files/0x000600000001ac31-489.dat	dcrat
behavioral1/files/0x000600000001ac31-495.dat	dcrat
behavioral1/files/0x000600000001ac31-500.dat	dcrat
behavioral1/files/0x000600000001ac31-506.dat	dcrat
behavioral1/files/0x000600000001ac31-512.dat	dcrat
behavioral1/files/0x000600000001ac31-517.dat	dcrat
behavioral1/files/0x000600000001ac31-522.dat	dcrat
behavioral1/files/0x000600000001ac31-527.dat	dcrat
behavioral1/files/0x000600000001ac31-533.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
5104	DllCommonsvc.exe
3476	sihost.exe
2228	sihost.exe
3112	sihost.exe
1828	sihost.exe
2468	sihost.exe
4744	sihost.exe
3408	sihost.exe
3752	sihost.exe
1280	sihost.exe
1116	sihost.exe
4928	sihost.exe
4032	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4488	schtasks.exe
4664	schtasks.exe
4600	schtasks.exe
3948	schtasks.exe
2552	schtasks.exe
4040	schtasks.exe
3988	schtasks.exe
4656	schtasks.exe
3996	schtasks.exe
4444	schtasks.exe
3708	schtasks.exe
3980	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	sihost.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5104	DllCommonsvc.exe
5104	DllCommonsvc.exe
5104	DllCommonsvc.exe
4956	powershell.exe
5036	powershell.exe
4304	powershell.exe
4684	powershell.exe
4956	powershell.exe
4916	powershell.exe
4916	powershell.exe
5036	powershell.exe
4304	powershell.exe
4956	powershell.exe
4304	powershell.exe
5036	powershell.exe
4684	powershell.exe
4916	powershell.exe
4684	powershell.exe
3476	sihost.exe
2228	sihost.exe
3112	sihost.exe
1828	sihost.exe
2468	sihost.exe
4744	sihost.exe
3408	sihost.exe
3752	sihost.exe
1280	sihost.exe
1116	sihost.exe
4928	sihost.exe
4032	sihost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	DllCommonsvc.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4956	powershell.exe
Token: SeSecurityPrivilege	4956	powershell.exe
Token: SeTakeOwnershipPrivilege	4956	powershell.exe
Token: SeLoadDriverPrivilege	4956	powershell.exe
Token: SeSystemProfilePrivilege	4956	powershell.exe
Token: SeSystemtimePrivilege	4956	powershell.exe
Token: SeProfSingleProcessPrivilege	4956	powershell.exe
Token: SeIncBasePriorityPrivilege	4956	powershell.exe
Token: SeCreatePagefilePrivilege	4956	powershell.exe
Token: SeBackupPrivilege	4956	powershell.exe
Token: SeRestorePrivilege	4956	powershell.exe
Token: SeShutdownPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeSystemEnvironmentPrivilege	4956	powershell.exe
Token: SeRemoteShutdownPrivilege	4956	powershell.exe
Token: SeUndockPrivilege	4956	powershell.exe
Token: SeManageVolumePrivilege	4956	powershell.exe
Token: 33	4956	powershell.exe
Token: 34	4956	powershell.exe
Token: 35	4956	powershell.exe
Token: 36	4956	powershell.exe
Token: SeIncreaseQuotaPrivilege	4304	powershell.exe
Token: SeSecurityPrivilege	4304	powershell.exe
Token: SeTakeOwnershipPrivilege	4304	powershell.exe
Token: SeLoadDriverPrivilege	4304	powershell.exe
Token: SeSystemProfilePrivilege	4304	powershell.exe
Token: SeSystemtimePrivilege	4304	powershell.exe
Token: SeProfSingleProcessPrivilege	4304	powershell.exe
Token: SeIncBasePriorityPrivilege	4304	powershell.exe
Token: SeCreatePagefilePrivilege	4304	powershell.exe
Token: SeBackupPrivilege	4304	powershell.exe
Token: SeRestorePrivilege	4304	powershell.exe
Token: SeShutdownPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeSystemEnvironmentPrivilege	4304	powershell.exe
Token: SeRemoteShutdownPrivilege	4304	powershell.exe
Token: SeUndockPrivilege	4304	powershell.exe
Token: SeManageVolumePrivilege	4304	powershell.exe
Token: 33	4304	powershell.exe
Token: 34	4304	powershell.exe
Token: 35	4304	powershell.exe
Token: 36	4304	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4752	388	9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	66
PID 388 wrote to memory of 4752	388	9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	66
PID 388 wrote to memory of 4752	388	9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	66
PID 4752 wrote to memory of 4812	4752	WScript.exe	67
PID 4752 wrote to memory of 4812	4752	WScript.exe	67
PID 4752 wrote to memory of 4812	4752	WScript.exe	67
PID 4812 wrote to memory of 5104	4812	cmd.exe	69
PID 4812 wrote to memory of 5104	4812	cmd.exe	69
PID 5104 wrote to memory of 4304	5104	DllCommonsvc.exe	83
PID 5104 wrote to memory of 4304	5104	DllCommonsvc.exe	83
PID 5104 wrote to memory of 5036	5104	DllCommonsvc.exe	92
PID 5104 wrote to memory of 5036	5104	DllCommonsvc.exe	92
PID 5104 wrote to memory of 4956	5104	DllCommonsvc.exe	84
PID 5104 wrote to memory of 4956	5104	DllCommonsvc.exe	84
PID 5104 wrote to memory of 4916	5104	DllCommonsvc.exe	86
PID 5104 wrote to memory of 4916	5104	DllCommonsvc.exe	86
PID 5104 wrote to memory of 4684	5104	DllCommonsvc.exe	87
PID 5104 wrote to memory of 4684	5104	DllCommonsvc.exe	87
PID 5104 wrote to memory of 908	5104	DllCommonsvc.exe	93
PID 5104 wrote to memory of 908	5104	DllCommonsvc.exe	93
PID 908 wrote to memory of 2064	908	cmd.exe	95
PID 908 wrote to memory of 2064	908	cmd.exe	95
PID 908 wrote to memory of 3476	908	cmd.exe	97
PID 908 wrote to memory of 3476	908	cmd.exe	97
PID 3476 wrote to memory of 4444	3476	sihost.exe	98
PID 3476 wrote to memory of 4444	3476	sihost.exe	98
PID 4444 wrote to memory of 3296	4444	cmd.exe	100
PID 4444 wrote to memory of 3296	4444	cmd.exe	100
PID 4444 wrote to memory of 2228	4444	cmd.exe	101
PID 4444 wrote to memory of 2228	4444	cmd.exe	101
PID 2228 wrote to memory of 5040	2228	sihost.exe	102
PID 2228 wrote to memory of 5040	2228	sihost.exe	102
PID 5040 wrote to memory of 4352	5040	cmd.exe	104
PID 5040 wrote to memory of 4352	5040	cmd.exe	104
PID 5040 wrote to memory of 3112	5040	cmd.exe	105
PID 5040 wrote to memory of 3112	5040	cmd.exe	105
PID 3112 wrote to memory of 5064	3112	sihost.exe	106
PID 3112 wrote to memory of 5064	3112	sihost.exe	106
PID 5064 wrote to memory of 4400	5064	cmd.exe	108
PID 5064 wrote to memory of 4400	5064	cmd.exe	108
PID 5064 wrote to memory of 1828	5064	cmd.exe	109
PID 5064 wrote to memory of 1828	5064	cmd.exe	109
PID 1828 wrote to memory of 3900	1828	sihost.exe	110
PID 1828 wrote to memory of 3900	1828	sihost.exe	110
PID 3900 wrote to memory of 2172	3900	cmd.exe	112
PID 3900 wrote to memory of 2172	3900	cmd.exe	112
PID 3900 wrote to memory of 2468	3900	cmd.exe	113
PID 3900 wrote to memory of 2468	3900	cmd.exe	113
PID 2468 wrote to memory of 3524	2468	sihost.exe	114
PID 2468 wrote to memory of 3524	2468	sihost.exe	114
PID 3524 wrote to memory of 4844	3524	cmd.exe	116
PID 3524 wrote to memory of 4844	3524	cmd.exe	116
PID 3524 wrote to memory of 4744	3524	cmd.exe	117
PID 3524 wrote to memory of 4744	3524	cmd.exe	117
PID 4744 wrote to memory of 3532	4744	sihost.exe	118
PID 4744 wrote to memory of 3532	4744	sihost.exe	118
PID 3532 wrote to memory of 2388	3532	cmd.exe	120
PID 3532 wrote to memory of 2388	3532	cmd.exe	120
PID 3532 wrote to memory of 3408	3532	cmd.exe	121
PID 3532 wrote to memory of 3408	3532	cmd.exe	121
PID 3408 wrote to memory of 4360	3408	sihost.exe	122
PID 3408 wrote to memory of 4360	3408	sihost.exe	122
PID 4360 wrote to memory of 1188	4360	cmd.exe	124
PID 4360 wrote to memory of 1188	4360	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe
"C:\Users\Admin\AppData\Local\Temp\9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TP8rFX5VPB.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2064
      - C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3296
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4352
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4400
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2172
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4844
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2388
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1188
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        21⤵
        
        PID:4960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1192
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        23⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4524
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        25⤵
        
        PID:4724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4688
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        27⤵
        
        PID:4932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3296
        
        C:\Users\Default\Music\sihost.exe
        
        "C:\Users\Default\Music\sihost.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
798c5f1f71f1313d3f8833e043ab715f

SHA1
097fd5dbb3bb98d2ecb52c73e0a8581714f0b9b4

SHA256
2b8c5e62179c45c5f172092aea22e8aec79bb718502d07edb330823333cbce6f

SHA512
92ca09275e85a1c0e7f1fef7c87a31b54fcb2f171cb1f9bd8ff92e758835eb9f3e66f25d38abdf4ca8d33df82b21dca307cb7feeb81d3f8794cc3214aad2ed9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
798c5f1f71f1313d3f8833e043ab715f

SHA1
097fd5dbb3bb98d2ecb52c73e0a8581714f0b9b4

SHA256
2b8c5e62179c45c5f172092aea22e8aec79bb718502d07edb330823333cbce6f

SHA512
92ca09275e85a1c0e7f1fef7c87a31b54fcb2f171cb1f9bd8ff92e758835eb9f3e66f25d38abdf4ca8d33df82b21dca307cb7feeb81d3f8794cc3214aad2ed9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e4fa1bb579d35ed00d05b8b72905cdc

SHA1
4413b694cacf57e43e4f5f78264af363777579c1

SHA256
8aabde406cd845148650e0f4bf388c41dc576dc66a3a14c11a218fe0e213b315

SHA512
54b4f81fcc819e76c6ebc18ea0e32aa3d2a28ed094af1232fc2dfe58bc3ab0abd9787f9e2e13279a070199ad27b5df62a99f2224eeb71a335085e180522e1919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
2377facea063eb22282cb7a067fe4452

SHA1
edb01bc66a27eab03526af8f23582f5d9f200233

SHA256
68437979a49f6ebb9074856cde2c69e584b280184fe60da402655b18fcfe10c0

SHA512
69d456b8bc2751e17fde64f339da3155e73aa32e4c7ac988d7cb598fb80ff7afb84aa87ec9b2dd45004f99353e7a13111e262f290736c35ac38adf2bced9f38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
198B

MD5
88e867d8449c825e9c651c03139c5b6e

SHA1
4962aa89c4c244badbcecd264f6e7e9021650a42

SHA256
3bcdab6fecc005f1963ae44f96b67cfc8bb94ccc83e50a09ab3eae5d05fda377

SHA512
33e9312f015087527cb9bba08625d6f6b128f346d369b714fd852217c99ba7d6420f789998f9da370553ca63ffb2358b526532b64accb6a9d7e448fdca8e199d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
198B

MD5
00b0b3b9d09b3bae6be0cd7c996dc22d

SHA1
067912399203b0be53135105c95c9d7f15d79e9a

SHA256
b7a9168a2b605f864fd273e4de94e4513838993c9959ac583d83167eae40d480

SHA512
ad520d8c5fe00e183a41893ee6e733f3d4ed0070befae9a7ec85265d79fe2e038e53170881b39c112394c02910cf6333337a5c2ebdd23aa38ca93320db8505f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
198B

MD5
686aef682c6bc216e29adc6ce17dadbd

SHA1
fc4e434c21fe30ba7a9a7178af3bfc4edcefa1e3

SHA256
45d2f10ef1b7208e6f0d44a605376eb3d0a04f424f563cbdbd2991d688b67d6e

SHA512
8b879401601a10a77aa49ebc0ecccce94fd4b08e754518499eb27a86ae88840d7b6ece3211f717907d6f3388823dcfca3776bda3c54d484a847006ed3bd63ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
198B

MD5
e2bcb997ff8af92451eafc9ff41d854e

SHA1
912dbdc108bd5b0d717a4c90503949b93a2558dd

SHA256
55a159a86773becd1f4e2a012491d2dbfe03f2df7b6bb476bff2743d64bdd7f2

SHA512
6e9a90c559be12c746ddacf846fc702549a90435dada04b377fcb20e32ea067ea03c767e012e2bf0c79a9fb2bbeb0831f2222fe29152d12475008d1c53e2239d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
198B

MD5
b4145d74fee71eaf16ed2bf640a3a7e0

SHA1
5d01c3f7197e8c354c29fb05a56ccd5ff3bf1468

SHA256
cf06d4fbe379b21dc3e023f1f433823079cda8ea4376c0da08ba6e5dfc9c3aa5

SHA512
b4aa0ad71c8e834396068ca2563cbb9ae9e3e81f61abb96ba56ae43e319887b3a9bbdc9e8c19fd4487224d7763f08c50ca241d5f5e204c8bd429cccbf59c0797

Download Submit
C:\Users\Admin\AppData\Local\Temp\TP8rFX5VPB.bat

Filesize
198B

MD5
a7f214247363152b765510246ddf67ea

SHA1
23ed2351de6653e4f3ba08c674ddddb88df12a3d

SHA256
bbc6f62a85b1c1e2d8928565b68b70ca5b8ba85bc4725d64bc523006b0b2d54d

SHA512
4bd66aa18cde0826412639bbfecadfa8d5874b9d01baf645b4cb70b91197a2a8af1062a5dc8704602fbd0e4b3af0ef7df1f74e4711950113d251373e4c42d409

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
198B

MD5
32d213c492f89f634d7e8e58f6ef2457

SHA1
f47f3e5408e73896bcaa9158a2e783e5af78dbef

SHA256
a1451ed4b2eb93b2c325307fb4d5415999e9a151b52146e1aa693c7e137fead4

SHA512
c6f9e7187f6c84ced3f16b61391a2deb0cf90decb58dea64b671007d672019cc8339d0cd4de2ee0f73757ed3d372f6de31a8c8e7538f6757cde7e77ff41990e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
198B

MD5
aa16433adc7d7c8204a76f3633be9439

SHA1
2a39a3aafb7c105dc425259f4fccb40d660ba025

SHA256
1a89664b51294c4807a5f8d01f36888111e54c7ff1329518dea6ae82de76608b

SHA512
8280bc8df56d92a7edbbd8b7887cf228a20bf4777a7903cfde9a7f5a4de2376c703b08c5b93ef223ff0c114e92a823fb2e76d1e2eb5fa768aa4f9e046e297e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
198B

MD5
aa16433adc7d7c8204a76f3633be9439

SHA1
2a39a3aafb7c105dc425259f4fccb40d660ba025

SHA256
1a89664b51294c4807a5f8d01f36888111e54c7ff1329518dea6ae82de76608b

SHA512
8280bc8df56d92a7edbbd8b7887cf228a20bf4777a7903cfde9a7f5a4de2376c703b08c5b93ef223ff0c114e92a823fb2e76d1e2eb5fa768aa4f9e046e297e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
198B

MD5
7d92f1a0016a781cbf58e4fa6aa820d7

SHA1
da84ae70963b2f8dfc0e689d2e2aa164516f7e4a

SHA256
16bce988fd4749dfdbcc2e07781068ff738dd7a7d5f48dfb0a66ad4bf1ea602c

SHA512
bbf2a9c99ad5d9532b75bc1cdae2a371a99314cd700d6361fcf1cfa99b0e905621eaf0c468dab73c8de1148347766026feac0d28f4a4f13a2f2b5cc399536f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
198B

MD5
6fa74c0344d87b5a9b213f5d9d68d1dd

SHA1
0eb3d0557498646f3ae6b8dfe3ffaeaab32eef7a

SHA256
9b9b0e3baf7b52a246cac2d7814e032f0c0690a7247c7041c764d0e81aeca575

SHA512
96a7a808baf90405ee5ae4abe584ddf1b9f0bc24ee8d7279da9c6a7a5f8937a0c733bbe24edd498e43318979b5c9fd545f27e635580ac81ff1ed49ca6530a19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
198B

MD5
d3a75dcc19dd53112e7a2480207ca3dd

SHA1
9eea34897457e4677bd49e12aa46d725cc1be5da

SHA256
5c9d9581344c3bfdc493c445e8bd8f4fda00e4db287cf9c60a9f5f45c374222d

SHA512
48cbaca815aa1d77b426835eddf6b373cb373c48aecf84a7ae02243c8029ef958fe088c69c98c52d0efaeb5594155d05a65972dce8a3a194a370205fe10d3c66

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Music\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/388-148-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-150-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-159-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-160-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-161-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-162-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-163-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-164-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-165-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-166-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-167-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-168-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-169-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-170-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-171-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-173-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-174-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-172-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-175-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-176-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-177-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-178-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-179-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-180-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-181-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-182-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-183-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-157-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-156-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-155-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-154-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-153-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-152-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-121-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-151-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-158-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-149-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-147-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-122-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-146-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-123-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-125-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-145-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-144-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-126-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-143-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-128-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-142-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-141-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-140-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-120-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-139-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-138-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-137-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-136-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-134-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-135-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-133-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-132-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-131-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-130-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/388-129-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-490-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/3408-507-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/4304-323-0x0000012B52060000-0x0000012B520D6000-memory.dmp

Filesize
472KB

Download
memory/4744-501-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/4752-185-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-186-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/4928-528-0x0000000000F00000-0x0000000000F12000-memory.dmp

Filesize
72KB

Download
memory/4956-317-0x000001D03B0F0000-0x000001D03B112000-memory.dmp

Filesize
136KB

Download
memory/5104-290-0x0000000001390000-0x000000000139C000-memory.dmp

Filesize
48KB

Download
memory/5104-286-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/5104-289-0x0000000001380000-0x000000000138C000-memory.dmp

Filesize
48KB

Download
memory/5104-288-0x0000000001360000-0x000000000136C000-memory.dmp

Filesize
48KB

Download
memory/5104-287-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download