dcrat | a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd

Analysis

max time kernel
147s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 11:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe
Size

1.3MB
MD5

093a0f614f6d88c25906d40d88ea1cfd
SHA1

f2fbfc4a4f3cf00f6d1c572280b7746010640e82
SHA256

a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd
SHA512

dcc1f5f326d5a952c47a54d19f5bcacf077945fafe1bf8ca75723acc9ab1ba70642442bacce66a6a0d4481532d619cec32a4f5535737282ce26b834e787659cf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4944	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac1e-284.dat	dcrat
behavioral1/files/0x000800000001ac1e-285.dat	dcrat
behavioral1/memory/4236-286-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac32-311.dat	dcrat
behavioral1/files/0x000600000001ac32-312.dat	dcrat
behavioral1/files/0x000600000001ac32-564.dat	dcrat
behavioral1/files/0x000600000001ac32-569.dat	dcrat
behavioral1/files/0x000600000001ac32-574.dat	dcrat
behavioral1/files/0x000600000001ac32-580.dat	dcrat
behavioral1/files/0x000600000001ac32-585.dat	dcrat
behavioral1/files/0x000600000001ac32-590.dat	dcrat
behavioral1/files/0x000600000001ac32-595.dat	dcrat
behavioral1/files/0x000600000001ac32-600.dat	dcrat
behavioral1/files/0x000600000001ac32-605.dat	dcrat
behavioral1/files/0x000600000001ac32-610.dat	dcrat
behavioral1/files/0x000600000001ac32-615.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4236	DllCommonsvc.exe
2328	DllCommonsvc.exe
4656	DllCommonsvc.exe
4804	DllCommonsvc.exe
3308	DllCommonsvc.exe
4976	DllCommonsvc.exe
2200	DllCommonsvc.exe
4180	DllCommonsvc.exe
4076	DllCommonsvc.exe
3768	DllCommonsvc.exe
4236	DllCommonsvc.exe
2460	DllCommonsvc.exe
3544	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\schemas\VpnProfile\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4124	schtasks.exe
5108	schtasks.exe
3236	schtasks.exe
5084	schtasks.exe
4204	schtasks.exe
2300	schtasks.exe
5016	schtasks.exe
3308	schtasks.exe
4920	schtasks.exe
4708	schtasks.exe
4692	schtasks.exe
3212	schtasks.exe
3188	schtasks.exe
5116	schtasks.exe
3228	schtasks.exe
4696	schtasks.exe
4908	schtasks.exe
5000	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
5060	powershell.exe
5068	powershell.exe
500	powershell.exe
3772	powershell.exe
3680	powershell.exe
1860	powershell.exe
1360	powershell.exe
5068	powershell.exe
3772	powershell.exe
1360	powershell.exe
1860	powershell.exe
2328	DllCommonsvc.exe
5060	powershell.exe
3680	powershell.exe
500	powershell.exe
3772	powershell.exe
1360	powershell.exe
5068	powershell.exe
1860	powershell.exe
5060	powershell.exe
3680	powershell.exe
500	powershell.exe
4656	DllCommonsvc.exe
4804	DllCommonsvc.exe
3308	DllCommonsvc.exe
4976	DllCommonsvc.exe
2200	DllCommonsvc.exe
4180	DllCommonsvc.exe
4076	DllCommonsvc.exe
3768	DllCommonsvc.exe
4236	DllCommonsvc.exe
2460	DllCommonsvc.exe
3544	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	DllCommonsvc.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	500	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2328	DllCommonsvc.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeIncreaseQuotaPrivilege	3772	powershell.exe
Token: SeSecurityPrivilege	3772	powershell.exe
Token: SeTakeOwnershipPrivilege	3772	powershell.exe
Token: SeLoadDriverPrivilege	3772	powershell.exe
Token: SeSystemProfilePrivilege	3772	powershell.exe
Token: SeSystemtimePrivilege	3772	powershell.exe
Token: SeProfSingleProcessPrivilege	3772	powershell.exe
Token: SeIncBasePriorityPrivilege	3772	powershell.exe
Token: SeCreatePagefilePrivilege	3772	powershell.exe
Token: SeBackupPrivilege	3772	powershell.exe
Token: SeRestorePrivilege	3772	powershell.exe
Token: SeShutdownPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeSystemEnvironmentPrivilege	3772	powershell.exe
Token: SeRemoteShutdownPrivilege	3772	powershell.exe
Token: SeUndockPrivilege	3772	powershell.exe
Token: SeManageVolumePrivilege	3772	powershell.exe
Token: 33	3772	powershell.exe
Token: 34	3772	powershell.exe
Token: 35	3772	powershell.exe
Token: 36	3772	powershell.exe
Token: SeIncreaseQuotaPrivilege	5068	powershell.exe
Token: SeSecurityPrivilege	5068	powershell.exe
Token: SeTakeOwnershipPrivilege	5068	powershell.exe
Token: SeLoadDriverPrivilege	5068	powershell.exe
Token: SeSystemProfilePrivilege	5068	powershell.exe
Token: SeSystemtimePrivilege	5068	powershell.exe
Token: SeProfSingleProcessPrivilege	5068	powershell.exe
Token: SeIncBasePriorityPrivilege	5068	powershell.exe
Token: SeCreatePagefilePrivilege	5068	powershell.exe
Token: SeBackupPrivilege	5068	powershell.exe
Token: SeRestorePrivilege	5068	powershell.exe
Token: SeShutdownPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeSystemEnvironmentPrivilege	5068	powershell.exe
Token: SeRemoteShutdownPrivilege	5068	powershell.exe
Token: SeUndockPrivilege	5068	powershell.exe
Token: SeManageVolumePrivilege	5068	powershell.exe
Token: 33	5068	powershell.exe
Token: 34	5068	powershell.exe
Token: 35	5068	powershell.exe
Token: 36	5068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1360	powershell.exe
Token: SeSecurityPrivilege	1360	powershell.exe
Token: SeTakeOwnershipPrivilege	1360	powershell.exe
Token: SeLoadDriverPrivilege	1360	powershell.exe
Token: SeSystemProfilePrivilege	1360	powershell.exe
Token: SeSystemtimePrivilege	1360	powershell.exe
Token: SeProfSingleProcessPrivilege	1360	powershell.exe
Token: SeIncBasePriorityPrivilege	1360	powershell.exe
Token: SeCreatePagefilePrivilege	1360	powershell.exe
Token: SeBackupPrivilege	1360	powershell.exe
Token: SeRestorePrivilege	1360	powershell.exe
Token: SeShutdownPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2632	2760	a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe	66
PID 2760 wrote to memory of 2632	2760	a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe	66
PID 2760 wrote to memory of 2632	2760	a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe	66
PID 2632 wrote to memory of 4824	2632	WScript.exe	67
PID 2632 wrote to memory of 4824	2632	WScript.exe	67
PID 2632 wrote to memory of 4824	2632	WScript.exe	67
PID 4824 wrote to memory of 4236	4824	cmd.exe	69
PID 4824 wrote to memory of 4236	4824	cmd.exe	69
PID 4236 wrote to memory of 5060	4236	DllCommonsvc.exe	89
PID 4236 wrote to memory of 5060	4236	DllCommonsvc.exe	89
PID 4236 wrote to memory of 5068	4236	DllCommonsvc.exe	97
PID 4236 wrote to memory of 5068	4236	DllCommonsvc.exe	97
PID 4236 wrote to memory of 3680	4236	DllCommonsvc.exe	90
PID 4236 wrote to memory of 3680	4236	DllCommonsvc.exe	90
PID 4236 wrote to memory of 3772	4236	DllCommonsvc.exe	91
PID 4236 wrote to memory of 3772	4236	DllCommonsvc.exe	91
PID 4236 wrote to memory of 500	4236	DllCommonsvc.exe	94
PID 4236 wrote to memory of 500	4236	DllCommonsvc.exe	94
PID 4236 wrote to memory of 1360	4236	DllCommonsvc.exe	98
PID 4236 wrote to memory of 1360	4236	DllCommonsvc.exe	98
PID 4236 wrote to memory of 1860	4236	DllCommonsvc.exe	99
PID 4236 wrote to memory of 1860	4236	DllCommonsvc.exe	99
PID 4236 wrote to memory of 2328	4236	DllCommonsvc.exe	103
PID 4236 wrote to memory of 2328	4236	DllCommonsvc.exe	103
PID 2328 wrote to memory of 2556	2328	DllCommonsvc.exe	105
PID 2328 wrote to memory of 2556	2328	DllCommonsvc.exe	105
PID 2556 wrote to memory of 2924	2556	cmd.exe	107
PID 2556 wrote to memory of 2924	2556	cmd.exe	107
PID 2556 wrote to memory of 4656	2556	cmd.exe	108
PID 2556 wrote to memory of 4656	2556	cmd.exe	108
PID 4656 wrote to memory of 3880	4656	DllCommonsvc.exe	109
PID 4656 wrote to memory of 3880	4656	DllCommonsvc.exe	109
PID 3880 wrote to memory of 5032	3880	cmd.exe	111
PID 3880 wrote to memory of 5032	3880	cmd.exe	111
PID 3880 wrote to memory of 4804	3880	cmd.exe	112
PID 3880 wrote to memory of 4804	3880	cmd.exe	112
PID 4804 wrote to memory of 4836	4804	DllCommonsvc.exe	113
PID 4804 wrote to memory of 4836	4804	DllCommonsvc.exe	113
PID 4836 wrote to memory of 1296	4836	cmd.exe	115
PID 4836 wrote to memory of 1296	4836	cmd.exe	115
PID 4836 wrote to memory of 3308	4836	cmd.exe	116
PID 4836 wrote to memory of 3308	4836	cmd.exe	116
PID 3308 wrote to memory of 4136	3308	DllCommonsvc.exe	117
PID 3308 wrote to memory of 4136	3308	DllCommonsvc.exe	117
PID 4136 wrote to memory of 5084	4136	cmd.exe	119
PID 4136 wrote to memory of 5084	4136	cmd.exe	119
PID 4136 wrote to memory of 4976	4136	cmd.exe	120
PID 4136 wrote to memory of 4976	4136	cmd.exe	120
PID 4976 wrote to memory of 304	4976	DllCommonsvc.exe	121
PID 4976 wrote to memory of 304	4976	DllCommonsvc.exe	121
PID 304 wrote to memory of 3804	304	cmd.exe	123
PID 304 wrote to memory of 3804	304	cmd.exe	123
PID 304 wrote to memory of 2200	304	cmd.exe	124
PID 304 wrote to memory of 2200	304	cmd.exe	124
PID 2200 wrote to memory of 1888	2200	DllCommonsvc.exe	125
PID 2200 wrote to memory of 1888	2200	DllCommonsvc.exe	125
PID 1888 wrote to memory of 1592	1888	cmd.exe	127
PID 1888 wrote to memory of 1592	1888	cmd.exe	127
PID 1888 wrote to memory of 4180	1888	cmd.exe	128
PID 1888 wrote to memory of 4180	1888	cmd.exe	128
PID 4180 wrote to memory of 532	4180	DllCommonsvc.exe	129
PID 4180 wrote to memory of 532	4180	DllCommonsvc.exe	129
PID 532 wrote to memory of 4844	532	cmd.exe	131
PID 532 wrote to memory of 4844	532	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe
"C:\Users\Admin\AppData\Local\Temp\a2e1690e376542244c3c8f4d20f542469b7ce46d0de5a0ba9b9c1197b882aadd.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2924
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5032
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1296
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5084
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3804
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1592
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4844
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        20⤵
        
        PID:4668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2312
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        22⤵
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1120
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        24⤵
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2620
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        26⤵
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4852
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        28⤵
        
        PID:4656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6213c4984bcd9ef759307657aa20c9cd

SHA1
3244e6cf2d5b62abb320a0b6f00be5078bced2d7

SHA256
68d79ae435be5391f6faebfa2ac008a5c19e5e638ca6f0569f8068a1895c7a39

SHA512
1f5690667383dbff857a0d2125e933f39e35a29ac30e9b22ff0daeda11f222203598239ca4fe350ec76f03f07c162b181df6d5210d5f56bb8d43717bf34e35ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
043306ac8fe12dbe256c1bfff859452f

SHA1
48e7c8e7cfd43f39fdd32c23a2993010f11c968a

SHA256
e2d87338ebb14fcfbfce0d82fb681f83a75e38f65c4a045fb9899f835767049c

SHA512
1d5e23555aa568ce5a0a031514086b288b93bc3261ea4b87088fe13d65cf2a42f240b1115048a84a4a5cd1ca259a0346aaaad2af60561a6cde5f89b0814affd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
043306ac8fe12dbe256c1bfff859452f

SHA1
48e7c8e7cfd43f39fdd32c23a2993010f11c968a

SHA256
e2d87338ebb14fcfbfce0d82fb681f83a75e38f65c4a045fb9899f835767049c

SHA512
1d5e23555aa568ce5a0a031514086b288b93bc3261ea4b87088fe13d65cf2a42f240b1115048a84a4a5cd1ca259a0346aaaad2af60561a6cde5f89b0814affd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
043306ac8fe12dbe256c1bfff859452f

SHA1
48e7c8e7cfd43f39fdd32c23a2993010f11c968a

SHA256
e2d87338ebb14fcfbfce0d82fb681f83a75e38f65c4a045fb9899f835767049c

SHA512
1d5e23555aa568ce5a0a031514086b288b93bc3261ea4b87088fe13d65cf2a42f240b1115048a84a4a5cd1ca259a0346aaaad2af60561a6cde5f89b0814affd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b05561df66e9f216f2252a22fa20a8aa

SHA1
47d15af0278eb3a5f743d83b6864c39451c4e529

SHA256
035d16495192dd0ed553e306725c6fbc544b55dcd73f3cd0949e5630cbdd41e0

SHA512
c185e0e29c63b53ab7704363f41c97a968f3ec397dc5ba9cd68ad389fb104465db7fb5c06cfc66ee689c50c1217c0bea7bc5663b678bd2557535c9f423336a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b05561df66e9f216f2252a22fa20a8aa

SHA1
47d15af0278eb3a5f743d83b6864c39451c4e529

SHA256
035d16495192dd0ed553e306725c6fbc544b55dcd73f3cd0949e5630cbdd41e0

SHA512
c185e0e29c63b53ab7704363f41c97a968f3ec397dc5ba9cd68ad389fb104465db7fb5c06cfc66ee689c50c1217c0bea7bc5663b678bd2557535c9f423336a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
264B

MD5
5475fd75d80c3a8176ea0066307357b0

SHA1
5dfb46a5eef79efc0ef8d0ea6695ba3560b0fed2

SHA256
296499a2c8597b538df4725c2c98ce2f79ad884212db86c458cccdf42f6b301d

SHA512
2fde32154abeb0430e6f1134e25bbdd43af61f015697f2db86233cb6316fe307ba711caf93cfad845772f9fa3c685649ea4f1eeb4284ba6d5e46769086ac3ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

Filesize
264B

MD5
bfbfafe28872197e02aabbf0a9926525

SHA1
fd0bb4b0b2f7a92054a212862fe59b217c03ef3c

SHA256
61659238765403c8792602b256ae309e230bfb59061fe192a8436251a65ecc83

SHA512
7fcfe757a2fa1082592146751e7079eb2fbf4b331025de18bf3edcf84b0c07a365afcbba8df63db639dd94e83488b9160792a46840bf9e054c60822776f2a11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
264B

MD5
2f5ff2b275199391f97f23e1024f934e

SHA1
08c7848b6b5155c2074a6aa79d2809d75434766e

SHA256
0a913ee1ff3d86a8bc10f30fbc89c8e5ca792f002d6d1fd2e974597d4669e664

SHA512
993b546ba120590f973bbac2e195b45c840ac818d91a7fbb324a5dd1aa0518995b865561a70d99218af0fe2ad7445084080df712c4d90971739e78fd0578e0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
264B

MD5
bd12bd897df199eaa50f9c16efe721f3

SHA1
ea16f3f196c9a83c3a748fe587ad2fe2b76053dd

SHA256
70f3c019c92f687982fea673576d530689ac46e6f716ba155b92a69ebe3beb70

SHA512
86ecd222203c8d91307743a4c570b9dc7019865c14798f7a9cd3369ceec41654a8a5c1bba36d130e84b66a58c632de3487a0e29e93d266a0440c85d486e28bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

Filesize
264B

MD5
68afa4c356372cb2ba6c7de5667a685f

SHA1
f36d0e541cc7d1a7f3ed2a439ea1129b51128889

SHA256
3749e97d61e275d20c234a73baa3f4dac399c698d8ee4e28c22786f759552cfd

SHA512
55a8c24f68ac1c825621c72aee852072612d5380d50a2e528735596e89d7f3ecad3ef4f1d8e0fb10e9c91ce2b63e535d9396d6a8d27afe4b21878b39a5ae8e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

Filesize
264B

MD5
2b831708a8a41e73681e697901b87dfb

SHA1
cd74de0e47d9fdd9be093307f78f6b086be7f78b

SHA256
08da0ea04a66da01fead2064f5d675e4411a7da163dbbe39fd294a5fa789d21e

SHA512
edf227d68bd7928d94610474cece8cd1ed8f46d1afa03c1d6874b7184ba4912adc9d25f03097f8e6e8db4b17101f29fa316bd9fc39d1a19a11b9dba94f05d7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
264B

MD5
adea0d00f756488ecc63f5999c3bbb7c

SHA1
10b3165c70f2a51ec1408db8472c422b5f2a8091

SHA256
bd2ca722a851b458500b91f86373de95b2f36c89ac8fe964e3cc54bf054cca40

SHA512
af9996a182b5e67a0ce10c6460163f14e8f66000616eb83b66523e6adc241d4d7fb89870101424710f1cf63484ac97c56832d4ee0421ef9802328ef21558ffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

Filesize
264B

MD5
845806309e2a50e0694694cbc7552fea

SHA1
00b565ff89c45f9d2cf350419ea3134b3abcfe94

SHA256
530a53f24109d4eed6c704d86e824b47ff0efdc2dd4d635222e3350b0e527424

SHA512
45a8792b2c0967db55da9759374338122fa44e718105bb926bf9a9333bb91f316c7b54077dc0f77f9e0a36d9e2dcb23316d9382bd8d10a7132580216be11dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
264B

MD5
5361d3ce92f2eaa1341401df26f365e3

SHA1
175427f270f902245bbc4353916cceb5167173d9

SHA256
00b0e437ad6bfed58f63f19ef25c4ed64c259193c016fe24f7b681193a7efa45

SHA512
b99fb649dcf47b65fc64aff8c6f45529a326ab6561c03f20b58a206c3f27cee442349936bc10a583b0f817d245a9f8389453f9c3c836cdf77486eb496498e3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
264B

MD5
f2c82952088f3fce306088265e24d00f

SHA1
1f209c2162c12445c7fac1bf91ff64c833ab1cb1

SHA256
74971dc46fd6913f0fa0d45e75fdb5733cf925d3670a1e7dbc168dd855e18d30

SHA512
40c48ae257b046a777be775870f98259354d997540d06e2f0ac1523c07ccf745ac38b6644706dd8fc17b2b8a1df48fbecbeddacbe0e6cd6a6230bd7e2ce15547

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
264B

MD5
d69c6ef2529aa83f88a5e636d9cc1900

SHA1
45becd9269a260963a67deaddf68e48e9881f8f4

SHA256
7d6093fc1d5e33cf34bf2dbaaaf8260f8ca7b04424ce6fe6c5b5bd428f59f818

SHA512
861527991d0b560bd82308d923713fdd182d7f9cc955b8ad5ae5ad04dce79d9fc450494842ba0a51a7bc6528a17592824f37c14da2d521216e0e60eeb420ab47

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
264B

MD5
23be76ef3b74a1bfbc63714f404d9ef3

SHA1
cc6701736e34ff47e2e431ea715daa3daea1f230

SHA256
1ac27bc97319fd51f28e57325fcd187db379f59e9ca19bfd87ba1f0c2f6f1572

SHA512
12243212aae96a6b6bde673c701061fd43ddcdccfc86da0185e8f943a09a00fd0dd5cc3c74a6ebcf5b6fec428f83cf3a5f0e82b9f9d39d8fa6b6573ea72f28b1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2632-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2632-185-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3308-575-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/3544-616-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/3772-349-0x000002776EE40000-0x000002776EEB6000-memory.dmp

Filesize
472KB

Download
memory/4236-286-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/4236-287-0x0000000001260000-0x0000000001272000-memory.dmp

Filesize
72KB

Download
memory/4236-288-0x0000000001270000-0x000000000127C000-memory.dmp

Filesize
48KB

Download
memory/4236-289-0x0000000002BC0000-0x0000000002BCC000-memory.dmp

Filesize
48KB

Download
memory/4236-290-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

Filesize
48KB

Download
memory/5060-336-0x000001F068800000-0x000001F068822000-memory.dmp

Filesize
136KB

Download