Overview

overview

10

Static

static

10

Expensive.exe

windows10-2004-x64

10

Resubmissions

28-10-2023 19:07

231028-xs4m6sef9w 10

28-10-2023 18:18

231028-wxkv7aee4y 10

Analysis

  • max time kernel
    332s
  • max time network
    271s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2023 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Expensive.exe

  • Size

    2.1MB

  • MD5

    9127de477fcc591eea0315222e9ab353

  • SHA1

    3731c238313b43c908c5c10981f6e0f35bb6593f

  • SHA256

    071523576cd4bb651eeecf43780cea7dd9bcba75e00382016bc6ce9d47129c98

  • SHA512

    3999391dc6dd1e2e92d2d1318ee6b2306542c0e7d2977e73130283a3b44edce8b553663e17d54eb683ddf04096006a31d8b47b430309e38f199599f6c9947023

  • SSDEEP

    24576:h2G/nvxW3Wwh0hcCTp8vHOBYpTy1h1SyhGfS3l2o4nFAwODRxWcKmBN3ialREy4z:hbA3tGhcqKIJT1fsFpO/kWiaUJz

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\k8nUohoQkvTUGj0po2uwSdLBobMX.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\qA2M4OOY6O3ec5qA9l2THG0b.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\SavesCommon.exe
          "C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\SavesCommon.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4164
          • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
            "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1332
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f0f49c-7df5-4c5d-910b-068a7bb5ea0c.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4860
              • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
                "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe"
                7⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:3688
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd875fb-4ce7-4236-8045-a3d99ba3471a.vbs"
              6⤵
                PID:2348
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sAPbyKfqpN.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:964
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1760
                  • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
                    "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe"
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:1668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4688
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SoftwareDistribution\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4356
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_splitter\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_splitter\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_splitter\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3888
      • C:\Windows\Fonts\SearchApp.exe
        C:\Windows\Fonts\SearchApp.exe
        1⤵
        • Executes dropped EXE
        PID:4384

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Program Files\WindowsPowerShell\Configuration\cmd.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log
        Filesize

        1KB

        MD5

        c6ecc3bc2cdd7883e4f2039a5a5cf884

        SHA1

        20c9dd2a200e4b0390d490a7a76fa184bfc78151

        SHA256

        b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

        SHA512

        892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\77f0f49c-7df5-4c5d-910b-068a7bb5ea0c.vbs
        Filesize

        753B

        MD5

        788b8779df193fef74b4284203aaf496

        SHA1

        c028d5f8c14ec187c40302d18050d2c12dbd21b6

        SHA256

        dda7bea9fb6ac2144c69eb8beb623e0132e553edcb91a6e83ad2d0405b3f583b

        SHA512

        4eeaee67e46832e0729812377ff6b8802ec92063c67c21c72f8c9b4ac3663545bc7a1269f850f3ed1b3675efab4b46153d9b8e47508560d28be19d259ed338db

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cfd875fb-4ce7-4236-8045-a3d99ba3471a.vbs
        Filesize

        529B

        MD5

        ec8c8ef4ebefea2b09d9cbfe96cd3235

        SHA1

        d139a54407db2d252a28ebca829392223d8fca05

        SHA256

        47b73d671f7e3f7a0f95ef97f60a77476ae00ae2cd4f5728bc2bc8fea1ce0c0d

        SHA512

        a90cad686fc851344180edf5673239138619e56acc284544aec59177606f21fc112b865a94019664048c3d4bec048e1af6456a13466cdbe45148f7897663ace8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sAPbyKfqpN.bat
        Filesize

        242B

        MD5

        ada6925cda58ba9f75397fb2c66baf61

        SHA1

        3badf9715ca52e9e520db35e441dec2ec1fddcc7

        SHA256

        8c238cf606cef1e02c5fcd4215a18df06c8d61e0b7acf87a3dd5ded8cba4e238

        SHA512

        a2ae69ed4c67cf28d25be3e758b1a5ae1cd053dd23a547aeb4d159c3bfe56d82c3ce2374ae73b7450fbcb7149d34d9b10b836dbbbfd8011d7bde9f1dfceb3eea

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\SavesCommon.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\SavesCommon.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\k8nUohoQkvTUGj0po2uwSdLBobMX.vbe
        Filesize

        239B

        MD5

        445deffc476f599610ccfbc026c5719c

        SHA1

        ad2d330d80df0f2cb2bf9ee8e70566cd201cee04

        SHA256

        15324a0079a4e21407a0a0211fe8daec86eddd0f6ffc44878f8c0239a4f23cde

        SHA512

        92d38ef6d21319ec5927316943e2ef665df2a89fec9563fd85e317214322052e8f77f0027e859fcaa4d785b6be47ac9a56b99629dc487903f619d25477a9d018

        Download Submit

      • C:\Users\Admin\AppData\Roaming\surrogateproviderdriverIntoperf\qA2M4OOY6O3ec5qA9l2THG0b.bat
        Filesize

        59B

        MD5

        a0cf60494714328654ae0acf46d72cc0

        SHA1

        61bbcde48028567053eca470fcca76776bdc5d17

        SHA256

        b93da684a52006130321ff31e4f0f4af96ecd5bf2bfc347b24b6a596153319a7

        SHA512

        5fa41265ccbab182c5126c93471e18d45498378bd6d763466c278518c9e50f9c7bc31438c8cd6e9060931025c1bea942393b68428f1bdda927d7d0c216a01749

        Download Submit

      • C:\Windows\Fonts\SearchApp.exe
        Filesize

        1.6MB

        MD5

        d8957e18549671aedf4dec7556d6c76e

        SHA1

        d87b7d9e128d5c20a6274dfb7196e46d58208cc4

        SHA256

        0f4b7a13f661f8383d2e06b45bf7403fb7068dab6bed5de593359b6852a30549

        SHA512

        b4c3e235ae3867f220b30e7cd87bc403828c3621716e79984c68b46531a4f8976fe07b82770c1777ac677d157de0adb40c6db86b7736c9adf3bb0e454eb599e1

        Download Submit

      • C:\Windows\Fonts\SearchApp.exe
        Filesize

        1.6MB

        MD5

        4c52019072eb0e017b9a6575b83750bd

        SHA1

        62df1bc779fcb7afa73e94935f6a26413e490390

        SHA256

        1f9b6f21eb91a1c0f4d51af9b2ae3b2b62240b2426fd893f188922e5c00ccfd0

        SHA512

        98c1e57a26edb245f00483639061a169d53e003704475e0271857ac53fb2fafefac6ee18d5afa651508e1c2624e8f362c7563f28bf429e07363b5cb413697be3

        Download Submit

      • memory/1332-100-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1332-84-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1332-81-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1332-82-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1332-83-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1332-85-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1668-111-0x000000001BA60000-0x000000001BA70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1668-113-0x000000001BA60000-0x000000001BA70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1668-110-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1668-112-0x000000001BA60000-0x000000001BA70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1668-114-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3688-105-0x000000001BE00000-0x000000001BE10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-108-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3688-107-0x000000001BE00000-0x000000001BE10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-106-0x000000001BE00000-0x000000001BE10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3688-104-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4164-21-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4164-36-0x000000001C450000-0x000000001C458000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4164-80-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4164-35-0x000000001C440000-0x000000001C44E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4164-34-0x000000001C430000-0x000000001C43E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4164-33-0x000000001C360000-0x000000001C36A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4164-32-0x000000001C350000-0x000000001C35C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4164-31-0x000000001C340000-0x000000001C34C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4164-30-0x000000001C330000-0x000000001C33C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4164-29-0x000000001C320000-0x000000001C328000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4164-28-0x000000001B5C0000-0x000000001B5CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4164-27-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4164-26-0x000000001B590000-0x000000001B5A6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4164-25-0x000000001B550000-0x000000001B558000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4164-24-0x000000001C370000-0x000000001C3C0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4164-23-0x000000001B570000-0x000000001B58C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4164-22-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4164-20-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4164-19-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4164-18-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4164-17-0x0000000002BA0000-0x0000000002BAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4164-16-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4164-15-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4164-14-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4164-13-0x0000000000830000-0x00000000009D6000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4164-12-0x00007FFF25620000-0x00007FFF260E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4384-118-0x00007FFF26330000-0x00007FFF26DF1000-memory.dmp

        Filesize

        10.8MB

        Download