dcrat | cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
Size

1.3MB
MD5

ece36ae77bf422e4658737054f617a94
SHA1

1da918f476f888a02bf8923d8cfdb96e6edb106b
SHA256

cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65
SHA512

3b253c4a03f4457bf1a9b7895583ba4f357717cdf337b08fb947f00af8bf3be25dbddfd4c3d38bcf36fe04b8513171413f83130da8f7aa3cd9fefbc1f0cb6a08
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1396	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1396	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c88-10.dat	dcrat
behavioral2/memory/3504-13-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe
392	powershell.exe
3548	powershell.exe
2668	powershell.exe
5060	powershell.exe
4560	powershell.exe
4360	powershell.exe
4788	powershell.exe
2100	powershell.exe
436	powershell.exe
2760	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 14 IoCs

pid	Process
3504	DllCommonsvc.exe
3952	sihost.exe
2184	sihost.exe
4864	sihost.exe
1392	sihost.exe
2420	sihost.exe
1204	sihost.exe
3092	sihost.exe
4972	sihost.exe
4076	sihost.exe
4368	sihost.exe
1604	sihost.exe
2968	sihost.exe
4292	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
54	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
55	raw.githubusercontent.com
23	raw.githubusercontent.com
39	raw.githubusercontent.com
58	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\22eafd247d37c3	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\addins\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\addins\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\GameBarPresenceWriter\SearchApp.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4692	schtasks.exe
1808	schtasks.exe
2068	schtasks.exe
4088	schtasks.exe
3276	schtasks.exe
4972	schtasks.exe
3676	schtasks.exe
452	schtasks.exe
1972	schtasks.exe
2052	schtasks.exe
1736	schtasks.exe
2244	schtasks.exe
4112	schtasks.exe
3204	schtasks.exe
2692	schtasks.exe
3420	schtasks.exe
916	schtasks.exe
4176	schtasks.exe
4120	schtasks.exe
4740	schtasks.exe
2848	schtasks.exe
1200	schtasks.exe
1696	schtasks.exe
2480	schtasks.exe
3656	schtasks.exe
2272	schtasks.exe
808	schtasks.exe
1428	schtasks.exe
2044	schtasks.exe
5036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3504	DllCommonsvc.exe
3504	DllCommonsvc.exe
3504	DllCommonsvc.exe
3504	DllCommonsvc.exe
3504	DllCommonsvc.exe
3504	DllCommonsvc.exe
3504	DllCommonsvc.exe
436	powershell.exe
436	powershell.exe
2100	powershell.exe
2100	powershell.exe
2668	powershell.exe
2668	powershell.exe
3548	powershell.exe
3548	powershell.exe
4360	powershell.exe
4360	powershell.exe
4560	powershell.exe
4560	powershell.exe
4788	powershell.exe
4788	powershell.exe
2760	powershell.exe
2760	powershell.exe
5060	powershell.exe
5060	powershell.exe
392	powershell.exe
392	powershell.exe
904	powershell.exe
904	powershell.exe
2760	powershell.exe
436	powershell.exe
2668	powershell.exe
4360	powershell.exe
2100	powershell.exe
4560	powershell.exe
3548	powershell.exe
5060	powershell.exe
4788	powershell.exe
392	powershell.exe
904	powershell.exe
3952	sihost.exe
2184	sihost.exe
4864	sihost.exe
1392	sihost.exe
2420	sihost.exe
1204	sihost.exe
3092	sihost.exe
4972	sihost.exe
4076	sihost.exe
4368	sihost.exe
1604	sihost.exe
2968	sihost.exe
4292	sihost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	DllCommonsvc.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	3952	sihost.exe
Token: SeDebugPrivilege	2184	sihost.exe
Token: SeDebugPrivilege	4864	sihost.exe
Token: SeDebugPrivilege	1392	sihost.exe
Token: SeDebugPrivilege	2420	sihost.exe
Token: SeDebugPrivilege	1204	sihost.exe
Token: SeDebugPrivilege	3092	sihost.exe
Token: SeDebugPrivilege	4972	sihost.exe
Token: SeDebugPrivilege	4076	sihost.exe
Token: SeDebugPrivilege	4368	sihost.exe
Token: SeDebugPrivilege	1604	sihost.exe
Token: SeDebugPrivilege	2968	sihost.exe
Token: SeDebugPrivilege	4292	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1072	4832	JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe	82
PID 4832 wrote to memory of 1072	4832	JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe	82
PID 4832 wrote to memory of 1072	4832	JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe	82
PID 1072 wrote to memory of 2464	1072	WScript.exe	83
PID 1072 wrote to memory of 2464	1072	WScript.exe	83
PID 1072 wrote to memory of 2464	1072	WScript.exe	83
PID 2464 wrote to memory of 3504	2464	cmd.exe	85
PID 2464 wrote to memory of 3504	2464	cmd.exe	85
PID 3504 wrote to memory of 904	3504	DllCommonsvc.exe	117
PID 3504 wrote to memory of 904	3504	DllCommonsvc.exe	117
PID 3504 wrote to memory of 392	3504	DllCommonsvc.exe	118
PID 3504 wrote to memory of 392	3504	DllCommonsvc.exe	118
PID 3504 wrote to memory of 4788	3504	DllCommonsvc.exe	119
PID 3504 wrote to memory of 4788	3504	DllCommonsvc.exe	119
PID 3504 wrote to memory of 3548	3504	DllCommonsvc.exe	120
PID 3504 wrote to memory of 3548	3504	DllCommonsvc.exe	120
PID 3504 wrote to memory of 2668	3504	DllCommonsvc.exe	121
PID 3504 wrote to memory of 2668	3504	DllCommonsvc.exe	121
PID 3504 wrote to memory of 2100	3504	DllCommonsvc.exe	122
PID 3504 wrote to memory of 2100	3504	DllCommonsvc.exe	122
PID 3504 wrote to memory of 5060	3504	DllCommonsvc.exe	123
PID 3504 wrote to memory of 5060	3504	DllCommonsvc.exe	123
PID 3504 wrote to memory of 436	3504	DllCommonsvc.exe	124
PID 3504 wrote to memory of 436	3504	DllCommonsvc.exe	124
PID 3504 wrote to memory of 4560	3504	DllCommonsvc.exe	125
PID 3504 wrote to memory of 4560	3504	DllCommonsvc.exe	125
PID 3504 wrote to memory of 4360	3504	DllCommonsvc.exe	126
PID 3504 wrote to memory of 4360	3504	DllCommonsvc.exe	126
PID 3504 wrote to memory of 2760	3504	DllCommonsvc.exe	127
PID 3504 wrote to memory of 2760	3504	DllCommonsvc.exe	127
PID 3504 wrote to memory of 1128	3504	DllCommonsvc.exe	139
PID 3504 wrote to memory of 1128	3504	DllCommonsvc.exe	139
PID 1128 wrote to memory of 3672	1128	cmd.exe	141
PID 1128 wrote to memory of 3672	1128	cmd.exe	141
PID 1128 wrote to memory of 3952	1128	cmd.exe	145
PID 1128 wrote to memory of 3952	1128	cmd.exe	145
PID 3952 wrote to memory of 4916	3952	sihost.exe	149
PID 3952 wrote to memory of 4916	3952	sihost.exe	149
PID 4916 wrote to memory of 624	4916	cmd.exe	151
PID 4916 wrote to memory of 624	4916	cmd.exe	151
PID 4916 wrote to memory of 2184	4916	cmd.exe	152
PID 4916 wrote to memory of 2184	4916	cmd.exe	152
PID 2184 wrote to memory of 3560	2184	sihost.exe	155
PID 2184 wrote to memory of 3560	2184	sihost.exe	155
PID 3560 wrote to memory of 4616	3560	cmd.exe	157
PID 3560 wrote to memory of 4616	3560	cmd.exe	157
PID 3560 wrote to memory of 4864	3560	cmd.exe	158
PID 3560 wrote to memory of 4864	3560	cmd.exe	158
PID 4864 wrote to memory of 2376	4864	sihost.exe	159
PID 4864 wrote to memory of 2376	4864	sihost.exe	159
PID 2376 wrote to memory of 3688	2376	cmd.exe	161
PID 2376 wrote to memory of 3688	2376	cmd.exe	161
PID 2376 wrote to memory of 1392	2376	cmd.exe	162
PID 2376 wrote to memory of 1392	2376	cmd.exe	162
PID 1392 wrote to memory of 2068	1392	sihost.exe	163
PID 1392 wrote to memory of 2068	1392	sihost.exe	163
PID 2068 wrote to memory of 4160	2068	cmd.exe	165
PID 2068 wrote to memory of 4160	2068	cmd.exe	165
PID 2068 wrote to memory of 2420	2068	cmd.exe	166
PID 2068 wrote to memory of 2420	2068	cmd.exe	166
PID 2420 wrote to memory of 3004	2420	sihost.exe	167
PID 2420 wrote to memory of 3004	2420	sihost.exe	167
PID 3004 wrote to memory of 4384	3004	cmd.exe	169
PID 3004 wrote to memory of 4384	3004	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fskEZErFci.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3672
      - C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:624
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4616
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3688
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4160
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4384
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
        17⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3964
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        19⤵
        
        PID:3532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:980
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        21⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4504
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        23⤵
        
        PID:3176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:376
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        25⤵
        
        PID:3644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4084
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        27⤵
        
        PID:4064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4992
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        29⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3568
        
        C:\providercommon\sihost.exe
        
        "C:\providercommon\sihost.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
cb0a8ff4e751c0494e0ca571cba6f85d

SHA1
da8c9dab9ca154946e0e04c7bf956ac734f64ff2

SHA256
c25d7ee5c4fe115e05ee03ca9469e3b8d5fe9a9a9f486c146e5c704bd23c3dfd

SHA512
4e72d48dd90c67fc3e84d45c9fee9fbc742d546d69e7a0ca14ac0ee45c1e1b3f6d8de22449517dd015eaa52b71a93971cb714a7a3571b5beaba6410f6dc81930

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
193B

MD5
d96837a5ab3336954e4b3fbe732fab52

SHA1
728f1e27c035bfe68b9032bc3d03c51cb68ea13d

SHA256
d3fff6e79039216ed5ac886f2fee03d834551a4d9332c5ec3e83e3d12ae2d6b0

SHA512
7d6a565aaf8d16c05493d7b6bd391a6464bb93fcea1089f35b07a169b46079c8cb00c5fba061728d1bc0ac74df425be470f7bdbd9960f9e37067bb443f231818

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
193B

MD5
d891716585a9759d07885659ede4a644

SHA1
9bad2f50992de5e3933a4c34e50e4948d3e4e5aa

SHA256
9422942ac1807a75f35e52e569dbe1c39a0014247a22caaf943ff26838d05934

SHA512
9f9e42ce414064892ca6d43fd7f7acd5d1968bb3133a9439222bae5a38a88ecd126303f9bffeaaf887e0d664c97d8d2b8ec032c4ce1ad17cc93aa4eabdf010c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
193B

MD5
4153615f47b09e3c01a150627caf1011

SHA1
c6aa51abe664122966a7ff604b088060a8d25bb1

SHA256
744ed0894ecd092f1c625a40198c6ffd99c3fd0aad9944e091b0ca6522894059

SHA512
830adcc0597da9c22f26ddfc78b9cf0951ed98d2d9666b3f9203d3d0a3f961fb3eaea6b31f6a1a482df5a2deb7c669a9f961e0ebe409c26a57209a4b7b470f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
193B

MD5
3deb8c6d4b6b36829cad06ef315caf94

SHA1
96c389ab7e08ee268fd948246eed45f5de121009

SHA256
b9d5270576297a004dcecea19e5f7300eed02e6e81c45cf93e52e3f6eac50ceb

SHA512
758edf0d536dba32841906f5768fdc3b3ff15a1b156bbfad04c901a8809c5454f31d1f70b58c296cf7ca00ca24d6c24b39805ffd4d2b5075a82f3bb31ba6052d

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
193B

MD5
634dd9b40f8fe0c04668c09b943a95e3

SHA1
0c223efa31ffb3e0041381b926a2c0328e50a9cc

SHA256
2ecc15ff32fa80e44461dc6a286b79d6e6395f30b5a1d15883eb8e5edff97953

SHA512
22293044956030e0e3a2a7eeb8ef6adedf444405102efe951f0fde000d2dfbdcf10d9dee15b23c21af8cd8aa0c5582b95c4cf1e6e3427007a9e45a5abb0f6aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
193B

MD5
926d468ea5c795449c4980a5c3ddba84

SHA1
698024df505b774318d69105d9769f462d5f2eb1

SHA256
9101022cf860c8bbe0b141ca2157bd97fb6d4e162e96abbd9390b7dadc8f49a9

SHA512
a690ffb5a67a9a03a12eae143e6b63a536daf8b2eddb749a77580a9f20f8bcd9f61f000c0c988c8502b4bebd4e6b73c3a564f41b8dd401c8e09e236f0a206f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsby1hrs.134.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

Filesize
193B

MD5
9c8d898ed443545d3a69614df7f74c86

SHA1
07497743670effd584cebbc21d840e95c18a494a

SHA256
d6fcd90e755d79c6fa668848a57e0d7a69e4e7e007c58dfdb720859e36704e79

SHA512
241b2ac84210eed013bc98c58bd9ba95bfc7c63e577d5e6fd1daa1111df1f0f7e0f7c21f3e97a76ee3030cadfe3e252fced41ef582da08d77c2e77a4b9877d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

Filesize
193B

MD5
a9f5ea3f36af10f60cfc4d5161c55013

SHA1
57e4bb9bc60c9bca7720bc65eb38c1ffeb85011b

SHA256
dea23843afeb9c1d9717480e780a6d806fd5b70cebdec052aeb69a4df9b1d425

SHA512
c1117474542e541ae1b89a09b4af0f239b576d0a4ab17cdbdd0251ae549dbadf4ba96f159037c3460d916f43aa0a2c1118258a59d80ae09c3825ef0c44a50b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\fskEZErFci.bat

Filesize
193B

MD5
e429e3108977b43b2d3c4faffa2a63f0

SHA1
c978bac0c11f51a94886ba5f3e9dd661bd1e14ac

SHA256
38aa751a0c1145169efc12344ab404ee50e6423ef6c95fe80d78c1f8a8ca2a19

SHA512
c3f2e4cce7c1e2e670c2a0eb1f0b7f0cd4c7e6fce113dbcd9c2b72115fee618d4499ad01464d0ff397faa2fc462eb25838df53009dda2a0324c8eea4ce20fd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

Filesize
193B

MD5
917e297929db19b44a029f591fa3a05d

SHA1
bd014e305d98e8b3bc8da586618dafb6c4a20d88

SHA256
21afa8f64fb7e11f181b4c40406964b2cb43d126523000ec460bcc8474fdc60f

SHA512
bd9a63f725ddf4c916aac752ab35e64f5492d7fb7f78946af022d4707d029c0c68bc4096801f728012e8d6dc51a7eb1472217886ed14e7ddd0ec7b7ae5912ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
193B

MD5
1c2daac5105be5e24d7f2407e8b549ab

SHA1
d4580f51915575f9e5a53e657b4491930dd54331

SHA256
db667dc75d8514be551a4fc0e0b0cdc03b9b8e95b91a1d6b1e92a6c467973b7c

SHA512
2a8bef6742579ad166d6f496705ec22557bb3b1d59128b0ee8674c14e0ab5ee6e6a10fe3a900d77a05c18fd30fa86543a94b28bf41cb2043f27b6a3851b8db92

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
193B

MD5
489818efaea83645f07b551a2e863e7f

SHA1
f5bf6af1ccec0752011123ad9b95ade414f542f5

SHA256
73a5761efad1b4354a749fddf08f0b017a981fd48a014ec35701accd13527845

SHA512
9fe3a37119c7b0fd9966a4a4d8666f64f0d6c828d63a048ebe6086dbf4c33dc3b2e9d76f2d7597e765afc89a10f7330e0ebc02d39c6677a97adb9b292fbd7c74

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/436-51-0x000002494B350000-0x000002494B372000-memory.dmp

Filesize
136KB

Download
memory/1204-207-0x0000000001590000-0x00000000015A2000-memory.dmp

Filesize
72KB

Download
memory/1392-193-0x0000000002C40000-0x0000000002C52000-memory.dmp

Filesize
72KB

Download
memory/2184-179-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/2420-200-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/2968-245-0x0000000001960000-0x0000000001972000-memory.dmp

Filesize
72KB

Download
memory/3092-214-0x0000000001900000-0x0000000001912000-memory.dmp

Filesize
72KB

Download
memory/3504-14-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/3504-15-0x00000000026B0000-0x00000000026BC000-memory.dmp

Filesize
48KB

Download
memory/3504-13-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/3504-12-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

Filesize
8KB

Download
memory/3504-16-0x0000000002580000-0x000000000258C000-memory.dmp

Filesize
48KB

Download
memory/3504-17-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/3952-170-0x00000000029C0000-0x00000000029D2000-memory.dmp

Filesize
72KB

Download
memory/4292-252-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/4864-186-0x0000000002C30000-0x0000000002C42000-memory.dmp

Filesize
72KB

Download