dcrat | 8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188

Analysis

max time kernel
143s
max time network
140s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe
Size

1.3MB
MD5

71041776f2ec6543ecaf79553d3d8a6f
SHA1

3d04d7429d5e082a12ff3f53655fe0e3d6e4d63c
SHA256

8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188
SHA512

38b5d8391a897390a291cc45ec62ff634bb2c93dcab6fe007a4850114dceb864c4c0c1cb4aa87dce7f5e2c832bd315e6735c2fa532b6cd5f9eadf86423520ceb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4292	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4292	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001ac2e-280.dat	dcrat
behavioral1/files/0x000700000001ac2e-281.dat	dcrat
behavioral1/memory/2280-282-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac34-306.dat	dcrat
behavioral1/files/0x000600000001ac34-305.dat	dcrat
behavioral1/files/0x000600000001ac34-577.dat	dcrat
behavioral1/files/0x000600000001ac34-584.dat	dcrat
behavioral1/files/0x000600000001ac34-590.dat	dcrat
behavioral1/files/0x000600000001ac34-595.dat	dcrat
behavioral1/files/0x000600000001ac34-601.dat	dcrat
behavioral1/files/0x000600000001ac34-606.dat	dcrat
behavioral1/files/0x000600000001ac34-611.dat	dcrat
behavioral1/files/0x000600000001ac34-616.dat	dcrat
behavioral1/files/0x000600000001ac34-621.dat	dcrat
behavioral1/files/0x000600000001ac34-626.dat	dcrat
behavioral1/files/0x000600000001ac34-631.dat	dcrat
behavioral1/files/0x000600000001ac34-637.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
2280	DllCommonsvc.exe
3288	taskhostw.exe
2332	taskhostw.exe
4780	taskhostw.exe
2528	taskhostw.exe
2184	taskhostw.exe
4516	taskhostw.exe
4536	taskhostw.exe
1556	taskhostw.exe
4688	taskhostw.exe
3772	taskhostw.exe
4608	taskhostw.exe
4552	taskhostw.exe
1388	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4492	schtasks.exe
3156	schtasks.exe
4700	schtasks.exe
4808	schtasks.exe
3176	schtasks.exe
4248	schtasks.exe
4480	schtasks.exe
4760	schtasks.exe
4580	schtasks.exe
3780	schtasks.exe
4772	schtasks.exe
4776	schtasks.exe
3204	schtasks.exe
4788	schtasks.exe
4784	schtasks.exe
3116	schtasks.exe
4472	schtasks.exe
4304	schtasks.exe
4336	schtasks.exe
4436	schtasks.exe
5092	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
4664	powershell.exe
4672	powershell.exe
480	powershell.exe
1772	powershell.exe
4664	powershell.exe
4672	powershell.exe
1332	powershell.exe
4824	powershell.exe
420	powershell.exe
3288	taskhostw.exe
1656	powershell.exe
1772	powershell.exe
4672	powershell.exe
420	powershell.exe
4664	powershell.exe
480	powershell.exe
1772	powershell.exe
420	powershell.exe
1332	powershell.exe
4824	powershell.exe
1656	powershell.exe
480	powershell.exe
1332	powershell.exe
4824	powershell.exe
1656	powershell.exe
2332	taskhostw.exe
4780	taskhostw.exe
2528	taskhostw.exe
2184	taskhostw.exe
4516	taskhostw.exe
4536	taskhostw.exe
1556	taskhostw.exe
4688	taskhostw.exe
3772	taskhostw.exe
4608	taskhostw.exe
4552	taskhostw.exe
1388	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	DllCommonsvc.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3288	taskhostw.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4664	powershell.exe
Token: SeSecurityPrivilege	4664	powershell.exe
Token: SeTakeOwnershipPrivilege	4664	powershell.exe
Token: SeLoadDriverPrivilege	4664	powershell.exe
Token: SeSystemProfilePrivilege	4664	powershell.exe
Token: SeSystemtimePrivilege	4664	powershell.exe
Token: SeProfSingleProcessPrivilege	4664	powershell.exe
Token: SeIncBasePriorityPrivilege	4664	powershell.exe
Token: SeCreatePagefilePrivilege	4664	powershell.exe
Token: SeBackupPrivilege	4664	powershell.exe
Token: SeRestorePrivilege	4664	powershell.exe
Token: SeShutdownPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeSystemEnvironmentPrivilege	4664	powershell.exe
Token: SeRemoteShutdownPrivilege	4664	powershell.exe
Token: SeUndockPrivilege	4664	powershell.exe
Token: SeManageVolumePrivilege	4664	powershell.exe
Token: 33	4664	powershell.exe
Token: 34	4664	powershell.exe
Token: 35	4664	powershell.exe
Token: 36	4664	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	powershell.exe
Token: SeSecurityPrivilege	4672	powershell.exe
Token: SeTakeOwnershipPrivilege	4672	powershell.exe
Token: SeLoadDriverPrivilege	4672	powershell.exe
Token: SeSystemProfilePrivilege	4672	powershell.exe
Token: SeSystemtimePrivilege	4672	powershell.exe
Token: SeProfSingleProcessPrivilege	4672	powershell.exe
Token: SeIncBasePriorityPrivilege	4672	powershell.exe
Token: SeCreatePagefilePrivilege	4672	powershell.exe
Token: SeBackupPrivilege	4672	powershell.exe
Token: SeRestorePrivilege	4672	powershell.exe
Token: SeShutdownPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeSystemEnvironmentPrivilege	4672	powershell.exe
Token: SeRemoteShutdownPrivilege	4672	powershell.exe
Token: SeUndockPrivilege	4672	powershell.exe
Token: SeManageVolumePrivilege	4672	powershell.exe
Token: 33	4672	powershell.exe
Token: 34	4672	powershell.exe
Token: 35	4672	powershell.exe
Token: 36	4672	powershell.exe
Token: SeIncreaseQuotaPrivilege	420	powershell.exe
Token: SeSecurityPrivilege	420	powershell.exe
Token: SeTakeOwnershipPrivilege	420	powershell.exe
Token: SeLoadDriverPrivilege	420	powershell.exe
Token: SeSystemProfilePrivilege	420	powershell.exe
Token: SeSystemtimePrivilege	420	powershell.exe
Token: SeProfSingleProcessPrivilege	420	powershell.exe
Token: SeIncBasePriorityPrivilege	420	powershell.exe
Token: SeCreatePagefilePrivilege	420	powershell.exe
Token: SeBackupPrivilege	420	powershell.exe
Token: SeRestorePrivilege	420	powershell.exe
Token: SeShutdownPrivilege	420	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4376	2976	8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe	66
PID 2976 wrote to memory of 4376	2976	8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe	66
PID 2976 wrote to memory of 4376	2976	8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe	66
PID 4376 wrote to memory of 3968	4376	WScript.exe	67
PID 4376 wrote to memory of 3968	4376	WScript.exe	67
PID 4376 wrote to memory of 3968	4376	WScript.exe	67
PID 3968 wrote to memory of 2280	3968	cmd.exe	69
PID 3968 wrote to memory of 2280	3968	cmd.exe	69
PID 2280 wrote to memory of 4664	2280	DllCommonsvc.exe	92
PID 2280 wrote to memory of 4664	2280	DllCommonsvc.exe	92
PID 2280 wrote to memory of 4672	2280	DllCommonsvc.exe	94
PID 2280 wrote to memory of 4672	2280	DllCommonsvc.exe	94
PID 2280 wrote to memory of 480	2280	DllCommonsvc.exe	96
PID 2280 wrote to memory of 480	2280	DllCommonsvc.exe	96
PID 2280 wrote to memory of 4824	2280	DllCommonsvc.exe	98
PID 2280 wrote to memory of 4824	2280	DllCommonsvc.exe	98
PID 2280 wrote to memory of 420	2280	DllCommonsvc.exe	99
PID 2280 wrote to memory of 420	2280	DllCommonsvc.exe	99
PID 2280 wrote to memory of 1332	2280	DllCommonsvc.exe	100
PID 2280 wrote to memory of 1332	2280	DllCommonsvc.exe	100
PID 2280 wrote to memory of 1656	2280	DllCommonsvc.exe	102
PID 2280 wrote to memory of 1656	2280	DllCommonsvc.exe	102
PID 2280 wrote to memory of 1772	2280	DllCommonsvc.exe	103
PID 2280 wrote to memory of 1772	2280	DllCommonsvc.exe	103
PID 2280 wrote to memory of 3288	2280	DllCommonsvc.exe	107
PID 2280 wrote to memory of 3288	2280	DllCommonsvc.exe	107
PID 3288 wrote to memory of 4920	3288	taskhostw.exe	111
PID 3288 wrote to memory of 4920	3288	taskhostw.exe	111
PID 4920 wrote to memory of 5004	4920	cmd.exe	113
PID 4920 wrote to memory of 5004	4920	cmd.exe	113
PID 4920 wrote to memory of 2332	4920	cmd.exe	114
PID 4920 wrote to memory of 2332	4920	cmd.exe	114
PID 2332 wrote to memory of 4488	2332	taskhostw.exe	115
PID 2332 wrote to memory of 4488	2332	taskhostw.exe	115
PID 4488 wrote to memory of 4772	4488	cmd.exe	117
PID 4488 wrote to memory of 4772	4488	cmd.exe	117
PID 4488 wrote to memory of 4780	4488	cmd.exe	118
PID 4488 wrote to memory of 4780	4488	cmd.exe	118
PID 4780 wrote to memory of 820	4780	taskhostw.exe	121
PID 4780 wrote to memory of 820	4780	taskhostw.exe	121
PID 820 wrote to memory of 4660	820	cmd.exe	119
PID 820 wrote to memory of 4660	820	cmd.exe	119
PID 820 wrote to memory of 2528	820	cmd.exe	122
PID 820 wrote to memory of 2528	820	cmd.exe	122
PID 2528 wrote to memory of 3172	2528	taskhostw.exe	123
PID 2528 wrote to memory of 3172	2528	taskhostw.exe	123
PID 3172 wrote to memory of 1980	3172	cmd.exe	125
PID 3172 wrote to memory of 1980	3172	cmd.exe	125
PID 3172 wrote to memory of 2184	3172	cmd.exe	126
PID 3172 wrote to memory of 2184	3172	cmd.exe	126
PID 2184 wrote to memory of 580	2184	taskhostw.exe	127
PID 2184 wrote to memory of 580	2184	taskhostw.exe	127
PID 580 wrote to memory of 4840	580	cmd.exe	129
PID 580 wrote to memory of 4840	580	cmd.exe	129
PID 580 wrote to memory of 4516	580	cmd.exe	130
PID 580 wrote to memory of 4516	580	cmd.exe	130
PID 4516 wrote to memory of 4972	4516	taskhostw.exe	131
PID 4516 wrote to memory of 4972	4516	taskhostw.exe	131
PID 4972 wrote to memory of 2128	4972	cmd.exe	133
PID 4972 wrote to memory of 2128	4972	cmd.exe	133
PID 4972 wrote to memory of 4536	4972	cmd.exe	134
PID 4972 wrote to memory of 4536	4972	cmd.exe	134
PID 4536 wrote to memory of 204	4536	taskhostw.exe	135
PID 4536 wrote to memory of 204	4536	taskhostw.exe	135

C:\Users\Admin\AppData\Local\Temp\8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe
"C:\Users\Admin\AppData\Local\Temp\8d36b0923f0cac7b5ea66d8d67a98b40c6403cf07e0f19d4cf86022d78f3b188.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1980
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4840
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2128
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
        18⤵
        
        PID:204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1168
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        20⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1408
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        22⤵
        
        PID:592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1244
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
        24⤵
        
        PID:376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        26⤵
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        28⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:640
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1434b89b175ee2dc2fa59d43f16257af

SHA1
dcbf4f39cea8d984025627e384536dbd6be4e488

SHA256
fc549ebe1176430d38aebc0c3e36d128cc03147f906b5d813e431b713c88c0b9

SHA512
38f19d79ba6b593bcacc787559dc29768b4b20ab820d400f94d93a7447d10816464ff30245bf48720ae1c62eb40d707cfd44ec3f003e8319f7e790f6a16fa322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1434b89b175ee2dc2fa59d43f16257af

SHA1
dcbf4f39cea8d984025627e384536dbd6be4e488

SHA256
fc549ebe1176430d38aebc0c3e36d128cc03147f906b5d813e431b713c88c0b9

SHA512
38f19d79ba6b593bcacc787559dc29768b4b20ab820d400f94d93a7447d10816464ff30245bf48720ae1c62eb40d707cfd44ec3f003e8319f7e790f6a16fa322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1434b89b175ee2dc2fa59d43f16257af

SHA1
dcbf4f39cea8d984025627e384536dbd6be4e488

SHA256
fc549ebe1176430d38aebc0c3e36d128cc03147f906b5d813e431b713c88c0b9

SHA512
38f19d79ba6b593bcacc787559dc29768b4b20ab820d400f94d93a7447d10816464ff30245bf48720ae1c62eb40d707cfd44ec3f003e8319f7e790f6a16fa322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
960f16fa1521e7c97b1ae6098e276026

SHA1
c76a2bace4226f6c8139f22f75fcfec825ae68f1

SHA256
2d3d7d283beb80d0d2d5303b0fabc4740b755d21eaae5e4baaa4010e800f66c3

SHA512
320ff1c734f898dcea6ce4d632a40b4d92e875a8c51b92caec93b1550967f1dc5890784610426be7dfdcf4eb0f2587e9e91d3c894273fad183fa3725e96551dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
960f16fa1521e7c97b1ae6098e276026

SHA1
c76a2bace4226f6c8139f22f75fcfec825ae68f1

SHA256
2d3d7d283beb80d0d2d5303b0fabc4740b755d21eaae5e4baaa4010e800f66c3

SHA512
320ff1c734f898dcea6ce4d632a40b4d92e875a8c51b92caec93b1550967f1dc5890784610426be7dfdcf4eb0f2587e9e91d3c894273fad183fa3725e96551dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb25215c0c2d777285d8c7f7bc7d2ab0

SHA1
293fd9332fdf14ae16c89d52f348137d71a1529b

SHA256
85ce291d71e6517cce03110d90f22de9004b1e1860ed80e0c384775c426b7d03

SHA512
92d1e7d4ea23fdfe15be55228cd86db29adf38f4d3c7750b84da07ada8d2e361707b3f5867534d83ed902349d375a6cf4b681322f6ea308bc0a3d636b69dab15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb25215c0c2d777285d8c7f7bc7d2ab0

SHA1
293fd9332fdf14ae16c89d52f348137d71a1529b

SHA256
85ce291d71e6517cce03110d90f22de9004b1e1860ed80e0c384775c426b7d03

SHA512
92d1e7d4ea23fdfe15be55228cd86db29adf38f4d3c7750b84da07ada8d2e361707b3f5867534d83ed902349d375a6cf4b681322f6ea308bc0a3d636b69dab15

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
226B

MD5
4875510bdc0636a45717c60a58e87094

SHA1
991d1ff7a37f062b36a23fee7a839642f7c2f77a

SHA256
18856c2c4de45b9f0280784fa8aa6ba3ebdbc75878264f933f168f7cae786a91

SHA512
11ca2363b052ecb1f53e2f2f5af47545bf11bf96f1c37dd24b53134ca0cb676abe8c3ed298e64af6847b3fc7373ee26cf1062b65f494b3897426ad01a4008e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
226B

MD5
c83127b73b472b4ddce92fbd59eef8e4

SHA1
614849b9a4baa458de818fd2e8658dc460ebd87e

SHA256
30a8e44b5b4c936397ef410722f91bdd2285311cff1bd71b9a4d23a44ff82425

SHA512
e013b1ac7502dce09fa022ba92e42105b4f3fae9ca3e50351b19c9b55fb8404953a93ee6c7c97238deb3144c4709fbe09d4ae69f527f2cc2920594da8bec8307

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
226B

MD5
c83127b73b472b4ddce92fbd59eef8e4

SHA1
614849b9a4baa458de818fd2e8658dc460ebd87e

SHA256
30a8e44b5b4c936397ef410722f91bdd2285311cff1bd71b9a4d23a44ff82425

SHA512
e013b1ac7502dce09fa022ba92e42105b4f3fae9ca3e50351b19c9b55fb8404953a93ee6c7c97238deb3144c4709fbe09d4ae69f527f2cc2920594da8bec8307

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
226B

MD5
11418e13c8657c53e1fc892ad26cac76

SHA1
6f6f7bd64c934160a1346e88cbb68e7fd4042ec0

SHA256
87b153ab3d33c06ee80edd973dd4bd7bbb14d62ba8143368755591d9d9f69aee

SHA512
8bf3f93618070c0fac061595930ceb9c22bf8e419b82425618031eae4e4cfe6bcdd676ae516c12626857901a5e60eb65755042368acea8ea26914260a166dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
226B

MD5
11418e13c8657c53e1fc892ad26cac76

SHA1
6f6f7bd64c934160a1346e88cbb68e7fd4042ec0

SHA256
87b153ab3d33c06ee80edd973dd4bd7bbb14d62ba8143368755591d9d9f69aee

SHA512
8bf3f93618070c0fac061595930ceb9c22bf8e419b82425618031eae4e4cfe6bcdd676ae516c12626857901a5e60eb65755042368acea8ea26914260a166dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
226B

MD5
5eda25c0a9b2b110bc63763d22b2f870

SHA1
beb87f533605b32c6bda26fc255bd3ebb7088e0a

SHA256
8e22c54c834f6a97e74ee4c188e9662adf72f937770846dfda9d6e41411fc13d

SHA512
3687238e8ba4414a99f87c5270e75154c8638496e50a7a08d020df9e4bc6223cfb1d763ee59c1f8de15c8dc624dff339186fbb7058a1893a736febf1f7626b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
226B

MD5
0ee022a0b23f11be05f109b1716f7627

SHA1
a3f535097f0868d0f418a8409e60874c724e5363

SHA256
1d7c229558b5230b0d20d0715013b52215d2fac7747d03bd6012c560316a7516

SHA512
4182e4dba4089af3b73b4cbe947bd461cd0891d94d472b65b0cdcf1b26e62deeaa0ad4b5761ce3eff0e74256b3bd71e886ac4ba64bee1e89e6254b4709cea91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
226B

MD5
c54f7f14079f0aeb7cf2711baf559852

SHA1
c584ed2eb02a8823194e47c2f82340604774c6c4

SHA256
5dd93e7a37552939da4f281524b2110c5181e1f1c306f67aab8244d9af5171e3

SHA512
1f0184c73b0c84621434bcf51ca2c0542e74e42b1095db98e6407209cccbfb78317418ea9a6289f2d174a36d2548b01ef301e2c48a0de7f946fa1f27cab0a6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
226B

MD5
dee200900c27e113af71714acdf1b90d

SHA1
421fb5fc15185bf901c3802ba785b436bfdd6ede

SHA256
b251b22032d65d733862c3aeaac6d8301262620c48b5c9dbf57758babde2fcfb

SHA512
a922f8abeb52fcfa4bb7c90d1da9a49f2afda9407667249dd21a30b2ae6e80645e2a6e5d2f864aedf5a4f77e5df3fdb3108af7ffdc9467518787daffb3bfcca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

Filesize
226B

MD5
7b2b6578654ef54203132ff45bb3f68e

SHA1
a87d5900f62ac6b059bb14a258baa5aa6f364e5b

SHA256
6ccc76fcad3074cac67a0d459aff5afc78142827114f3aafc5b8aebc942bbd7d

SHA512
2a40a28fac4a6e5d12539fd1219931c07eaa06eed60f15554b706171c1330506ddf3f3fd558d66d29091d6b1a0f150dde8e5ec892b63fd94b302e74b4a814ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

Filesize
226B

MD5
2bb568f68347967bfec1017a76a782a2

SHA1
64f6d4193713bf00600dbd603ca5c4b5b7df6237

SHA256
0a5f79e2c6c50d1d3e0db83bc410af8a2a2b6f960792e540ef43696094f95cd9

SHA512
54c10af4a16b7acf9112ef2234c2d0d6b7aee0bad435250a3801ea877071884d4869df5198af3b06e723615b0697fda2bc7579efa85c4fc032e349746d3371dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
226B

MD5
d71d2c54267c4fdf39578874ec595037

SHA1
a1f5998a947c6a6c66feecff08b2933cd861c60c

SHA256
07eb1fed84187f915d094e6eaa877db0342c12528ed0eac711cdbc27ecb73dca

SHA512
e202a5ad31918c3ea9d7e7404a6f7cac1f45cf350892d16bf8bb0072833c90201054ca097dfd50624f256138aeee9dded01372c98659c585828b01b7a9e5f5b0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2184-596-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/2280-282-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2280-286-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/2280-285-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

Filesize
48KB

Download
memory/2280-284-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/2280-283-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/2332-579-0x0000000001180000-0x0000000001192000-memory.dmp

Filesize
72KB

Download
memory/2976-139-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-165-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-176-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-117-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-175-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-177-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-118-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-119-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-174-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-121-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-172-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-171-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-169-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-168-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-122-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-170-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-167-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-124-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-125-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-126-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-127-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-166-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-128-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-148-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-164-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-163-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-162-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-161-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-160-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-157-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-159-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-158-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-129-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-156-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-130-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-131-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-155-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-132-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-154-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-134-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-133-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-153-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-135-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-152-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-151-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-136-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-173-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-137-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-144-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-116-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-149-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-179-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-147-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-146-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-178-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-138-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-142-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-140-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-145-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-143-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-141-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-150-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3288-331-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/4376-181-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-182-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4552-632-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/4664-330-0x00000241AAFE0000-0x00000241AB002000-memory.dmp

Filesize
136KB

Download
memory/4672-335-0x000002397C130000-0x000002397C1A6000-memory.dmp

Filesize
472KB

Download
memory/4780-585-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download