dcrat | 294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15

Analysis

max time kernel
110s
max time network
96s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fund.exe
Size

2.0MB
MD5

2d63112893ec4a3142f4f0b1f16f56db
SHA1

108a292cf6ea50e137a192aae121a8c6bd4c20dc
SHA256

294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15
SHA512

0a22a2fc4cc40e483127571601e534d51fd284816d77f2150c58d9215ae83b7180d132121be1d9d56b838e27e5072d2145f7a8a5c2da38b999977d26b22e82ad
SSDEEP

49152:ubA3j5/MFK5hftE2CQdLYlGU/qPWbQCVLsMhdzRNlbGM:ubKMFA1dElGfWbQCVLsMxr

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	992	schtasks.exe	31

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000012301-63.dat	dcrat
behavioral1/files/0x0008000000012301-66.dat	dcrat
behavioral1/files/0x0008000000012301-65.dat	dcrat
behavioral1/files/0x0008000000012301-64.dat	dcrat
behavioral1/memory/1460-67-0x0000000001120000-0x00000000012E6000-memory.dmp	dcrat
behavioral1/files/0x0008000000012311-90.dat	dcrat
behavioral1/files/0x000900000001268a-149.dat	dcrat
behavioral1/files/0x000700000001469b-157.dat	dcrat
behavioral1/files/0x00080000000132f2-242.dat	dcrat
behavioral1/files/0x00090000000133db-252.dat	dcrat
behavioral1/files/0x000a0000000133db-262.dat	dcrat
behavioral1/files/0x000c0000000133db-296.dat	dcrat
behavioral1/files/0x000c0000000133db-433.dat	dcrat
behavioral1/files/0x000c0000000133db-434.dat	dcrat
behavioral1/files/0x000c0000000133db-475.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	comSvc.exe

Executes dropped EXE 3 IoCs

pid	Process
1460	comSvc.exe
2680	wininit.exe
2112	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
1012	cmd.exe
1012	cmd.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\en-US\explorer.exe	comSvc.exe
File created	C:\Program Files\Windows Sidebar\Idle.exe	comSvc.exe
File created	C:\Program Files\Windows Sidebar\6ccacd8608530f	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe	comSvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\explorer.exe	comSvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXA7E2.tmp	comSvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wininit.exe	comSvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe	comSvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\WMIADAP.exe	comSvc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\RCX86DF.tmp	comSvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX9527.tmp	comSvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\b75386f1303e64	comSvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\75a57c1bdf437c	comSvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\csrss.exe	comSvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX9526.tmp	comSvc.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wininit.exe	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX99CA.tmp	comSvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX9E2F.tmp	comSvc.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\56085415360792	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX6030.tmp	comSvc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\WMIADAP.exe	comSvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\7a0fd90576e088	comSvc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\RCX86F0.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX997B.tmp	comSvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXA532.tmp	comSvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX5D51.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\csrss.exe	comSvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Idle.exe	comSvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX9E2E.tmp	comSvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\RCX8289.tmp	comSvc.exe
File opened for modification	C:\Windows\L2Schemas\RCX829A.tmp	comSvc.exe
File opened for modification	C:\Windows\L2Schemas\conhost.exe	comSvc.exe
File created	C:\Windows\L2Schemas\conhost.exe	comSvc.exe
File created	C:\Windows\L2Schemas\088424020bedd6	comSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
472	schtasks.exe
1096	schtasks.exe
1772	schtasks.exe
1608	schtasks.exe
1400	schtasks.exe
1756	schtasks.exe
888	schtasks.exe
916	schtasks.exe
1896	schtasks.exe
860	schtasks.exe
940	schtasks.exe
1036	schtasks.exe
1892	schtasks.exe
1948	schtasks.exe
792	schtasks.exe
1864	schtasks.exe
752	schtasks.exe
1920	schtasks.exe
1992	schtasks.exe
1692	schtasks.exe
1008	schtasks.exe
1616	schtasks.exe
824	schtasks.exe
300	schtasks.exe
1932	schtasks.exe
1872	schtasks.exe
1888	schtasks.exe
1400	schtasks.exe
1208	schtasks.exe
988	schtasks.exe
1644	schtasks.exe
1476	schtasks.exe
580	schtasks.exe
1880	schtasks.exe
876	schtasks.exe
1632	schtasks.exe
1324	schtasks.exe
1500	schtasks.exe
336	schtasks.exe
1240	schtasks.exe
1620	schtasks.exe
1376	schtasks.exe
1220	schtasks.exe
1992	schtasks.exe
1604	schtasks.exe
1672	schtasks.exe
1812	schtasks.exe
1188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
1460	comSvc.exe
948	powershell.exe
1732	powershell.exe
1948	powershell.exe
1616	powershell.exe
1604	powershell.exe
1968	powershell.exe
536	powershell.exe
1008	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	comSvc.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	2680	wininit.exe
Token: SeDebugPrivilege	2112	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 988	1708	fund.exe	27
PID 1708 wrote to memory of 988	1708	fund.exe	27
PID 1708 wrote to memory of 988	1708	fund.exe	27
PID 1708 wrote to memory of 988	1708	fund.exe	27
PID 988 wrote to memory of 1012	988	WScript.exe	28
PID 988 wrote to memory of 1012	988	WScript.exe	28
PID 988 wrote to memory of 1012	988	WScript.exe	28
PID 988 wrote to memory of 1012	988	WScript.exe	28
PID 1012 wrote to memory of 1460	1012	cmd.exe	30
PID 1012 wrote to memory of 1460	1012	cmd.exe	30
PID 1012 wrote to memory of 1460	1012	cmd.exe	30
PID 1012 wrote to memory of 1460	1012	cmd.exe	30
PID 1460 wrote to memory of 536	1460	comSvc.exe	80
PID 1460 wrote to memory of 536	1460	comSvc.exe	80
PID 1460 wrote to memory of 536	1460	comSvc.exe	80
PID 1460 wrote to memory of 1948	1460	comSvc.exe	81
PID 1460 wrote to memory of 1948	1460	comSvc.exe	81
PID 1460 wrote to memory of 1948	1460	comSvc.exe	81
PID 1460 wrote to memory of 1732	1460	comSvc.exe	82
PID 1460 wrote to memory of 1732	1460	comSvc.exe	82
PID 1460 wrote to memory of 1732	1460	comSvc.exe	82
PID 1460 wrote to memory of 1968	1460	comSvc.exe	103
PID 1460 wrote to memory of 1968	1460	comSvc.exe	103
PID 1460 wrote to memory of 1968	1460	comSvc.exe	103
PID 1460 wrote to memory of 1604	1460	comSvc.exe	101
PID 1460 wrote to memory of 1604	1460	comSvc.exe	101
PID 1460 wrote to memory of 1604	1460	comSvc.exe	101
PID 1460 wrote to memory of 1008	1460	comSvc.exe	100
PID 1460 wrote to memory of 1008	1460	comSvc.exe	100
PID 1460 wrote to memory of 1008	1460	comSvc.exe	100
PID 1460 wrote to memory of 524	1460	comSvc.exe	99
PID 1460 wrote to memory of 524	1460	comSvc.exe	99
PID 1460 wrote to memory of 524	1460	comSvc.exe	99
PID 1460 wrote to memory of 1876	1460	comSvc.exe	84
PID 1460 wrote to memory of 1876	1460	comSvc.exe	84
PID 1460 wrote to memory of 1876	1460	comSvc.exe	84
PID 1460 wrote to memory of 472	1460	comSvc.exe	83
PID 1460 wrote to memory of 472	1460	comSvc.exe	83
PID 1460 wrote to memory of 472	1460	comSvc.exe	83
PID 1460 wrote to memory of 948	1460	comSvc.exe	98
PID 1460 wrote to memory of 948	1460	comSvc.exe	98
PID 1460 wrote to memory of 948	1460	comSvc.exe	98
PID 1460 wrote to memory of 1616	1460	comSvc.exe	97
PID 1460 wrote to memory of 1616	1460	comSvc.exe	97
PID 1460 wrote to memory of 1616	1460	comSvc.exe	97
PID 1460 wrote to memory of 1188	1460	comSvc.exe	96
PID 1460 wrote to memory of 1188	1460	comSvc.exe	96
PID 1460 wrote to memory of 1188	1460	comSvc.exe	96
PID 1460 wrote to memory of 1936	1460	comSvc.exe	95
PID 1460 wrote to memory of 1936	1460	comSvc.exe	95
PID 1460 wrote to memory of 1936	1460	comSvc.exe	95
PID 1460 wrote to memory of 1608	1460	comSvc.exe	106
PID 1460 wrote to memory of 1608	1460	comSvc.exe	106
PID 1460 wrote to memory of 1608	1460	comSvc.exe	106
PID 1608 wrote to memory of 1376	1608	cmd.exe	108
PID 1608 wrote to memory of 1376	1608	cmd.exe	108
PID 1608 wrote to memory of 1376	1608	cmd.exe	108
PID 1608 wrote to memory of 2680	1608	cmd.exe	109
PID 1608 wrote to memory of 2680	1608	cmd.exe	109
PID 1608 wrote to memory of 2680	1608	cmd.exe	109
PID 2680 wrote to memory of 2820	2680	wininit.exe	110
PID 2680 wrote to memory of 2820	2680	wininit.exe	110
PID 2680 wrote to memory of 2820	2680	wininit.exe	110
PID 2680 wrote to memory of 2868	2680	wininit.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fund.exe
"C:\Users\Admin\AppData\Local\Temp\fund.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\DriverHostCrtNet\comSvc.exe
      "C:\DriverHostCrtNet\comSvc.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqD8Kg9ZPx.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1376
      - C:\Program Files\Windows Media Player\Network Sharing\wininit.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdd0c855-388a-43e5-a069-881be5868aeb.vbs"
        7⤵
        
        PID:2820
        
        C:\Program Files\Windows Media Player\Network Sharing\wininit.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272fab5c-2a51-4250-9888-7f3f80867ab0.vbs"
        7⤵
        
        PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\DriverHostCrtNet\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\DriverHostCrtNet\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comSvcc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\comSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comSvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\comSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comSvcc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\comSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\734fcb42-1063-11ee-bd91-fabf500b3286\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\734fcb42-1063-11ee-bd91-fabf500b3286\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\734fcb42-1063-11ee-bd91-fabf500b3286\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\DriverHostCrtNet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriverHostCrtNet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverHostCrtNet\ELvGRxvU.bat

Filesize
32B

MD5
39e72d40a9ddaaf86994f941af3f7465

SHA1
e4b7c6d895cb2ce60391ab1a4363425868b63204

SHA256
4482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae

SHA512
beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1

Download Submit
C:\DriverHostCrtNet\comSvc.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
C:\DriverHostCrtNet\comSvc.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe

Filesize
201B

MD5
82adae7375b04faa5979ee4a8ec018fe

SHA1
03399a4be44e3506e924019af67fbc4d5d52368b

SHA256
3a1dc9b632500be6a83a3ce53de4e6e5e09f2ea48ab7a7d79f51b68ec2278f44

SHA512
56b4c020d393ca69369fc538affb0787a19831e0536a6c61080c4c2e05c12624fb0bed5456676daaa09591c163ce6cd229f1e723c53965c2212912d442464c4a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCX64D3.tmp

Filesize
1.7MB

MD5
33fe07be8ab88862fdcc88edb1ca249a

SHA1
b920085004a6653ea98ae0ba90ca963cea82a66a

SHA256
c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc

SHA512
f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe

Filesize
1.7MB

MD5
69b7fc2e583e3d1270183061822d14a5

SHA1
53c37dba95f8b0b7b024400d305380913e6ea7af

SHA256
078df6340c0e679618f1b3f9b1837c90ed334d48a7baadde5e03dd00d5703f6e

SHA512
9c00172fea11872047c4bac65a178440a306a74581dd429a1838ff42b2085687e4d3952b8e239b687963f0fde3ac6b7104e0be43be01d52daf586cdf69e5ef58

Download Submit
C:\Program Files (x86)\Windows Sidebar\RCX997B.tmp

Filesize
1.7MB

MD5
ca594807f884b2d1d31585d8ce01adb4

SHA1
31d0cc1f5064fd1210c385963260cd1e3dde8758

SHA256
5fecf9630e7f9227b42af1ddcd0008a8e729444e04a6b8fe2709b49c55a73163

SHA512
1a8109bb7e47bb0a2a85a645c79d42dcd786722f55762c90adb5b047162c297a6ae73b24e590c2af2a4aa8e2223455be4adfda3b8a5685e2e73bcb93633357ef

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\wininit.exe

Filesize
1.7MB

MD5
c12f9505f9d2aae6f02023fe1a87f061

SHA1
6b3fb16f07174a305a4c16bd112e0ef53e9ba342

SHA256
aeb3e98a228c047ab9b4db104bb38df0b6b80943969dc152d0c1efa8ae1e87b4

SHA512
33a455c10a3657042e1fdb17ba4a320e73aa8ed843e3873fd9cd63a2ecac81c38fc94a2fabecd1c04772435bd490ce06b9d9654a6907e465811082b627303be3

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\wininit.exe

Filesize
1.7MB

MD5
c12f9505f9d2aae6f02023fe1a87f061

SHA1
6b3fb16f07174a305a4c16bd112e0ef53e9ba342

SHA256
aeb3e98a228c047ab9b4db104bb38df0b6b80943969dc152d0c1efa8ae1e87b4

SHA512
33a455c10a3657042e1fdb17ba4a320e73aa8ed843e3873fd9cd63a2ecac81c38fc94a2fabecd1c04772435bd490ce06b9d9654a6907e465811082b627303be3

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\wininit.exe

Filesize
1.7MB

MD5
c12f9505f9d2aae6f02023fe1a87f061

SHA1
6b3fb16f07174a305a4c16bd112e0ef53e9ba342

SHA256
aeb3e98a228c047ab9b4db104bb38df0b6b80943969dc152d0c1efa8ae1e87b4

SHA512
33a455c10a3657042e1fdb17ba4a320e73aa8ed843e3873fd9cd63a2ecac81c38fc94a2fabecd1c04772435bd490ce06b9d9654a6907e465811082b627303be3

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\wininit.exe

Filesize
1.7MB

MD5
c12f9505f9d2aae6f02023fe1a87f061

SHA1
6b3fb16f07174a305a4c16bd112e0ef53e9ba342

SHA256
aeb3e98a228c047ab9b4db104bb38df0b6b80943969dc152d0c1efa8ae1e87b4

SHA512
33a455c10a3657042e1fdb17ba4a320e73aa8ed843e3873fd9cd63a2ecac81c38fc94a2fabecd1c04772435bd490ce06b9d9654a6907e465811082b627303be3

Download Submit
C:\Program Files\Windows Sidebar\en-US\RCX9526.tmp

Filesize
1.7MB

MD5
d1faf221d774c39bd4036d023e9aeb6a

SHA1
bb9aac1cbd1df47ace3f161e0c5d89074cbd5cae

SHA256
f8a76374fea269cf2c9eca24b712613bd583b4a183947b7b87f2b995932a0cc9

SHA512
38500a2c2de9532dbc8d699f939e0f7915fcb93b40628d57f27112874cf771b2a90a1a73dcdb2d64f4b3fbbdade6e18d5d6f8f1a7936b22f1fa61f0f984d9ac1

Download Submit
C:\Recovery\734fcb42-1063-11ee-bd91-fabf500b3286\sppsvc.exe

Filesize
1.7MB

MD5
4fc7b1c0c93be0ea0c031ec4d81a0651

SHA1
9280200744189fbdc134cb2e5660ae6de8267c8f

SHA256
45f960ab9967dc87e8955e80ed5c954e422cd0b1469fdae5b1aa5fadf7b114f1

SHA512
adc8848de5e8d75bda0be6f4edd3331255354b6fed1459dde6f9abed52e17793972f87e47ee52154bde51fc2b3edfa4800cda81d8d7fce812435849e7bc51f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\272fab5c-2a51-4250-9888-7f3f80867ab0.vbs

Filesize
517B

MD5
a1ada55f9d3953df545ed1bff01c8837

SHA1
850cee8a142fb8abd08d1702724bdb045a817722

SHA256
da8a58c737f7001df15a26da6d229edf0fb68f14474802f5d9484a8a0548aca8

SHA512
19dc3032c05de3d8692ed11ad6256937f51f383532a9eab14eef46fed3526dbe1e4d50a569a949958634ff497a96de519a8efba8f2ea4aba9d86571da7955636

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdd0c855-388a-43e5-a069-881be5868aeb.vbs

Filesize
741B

MD5
cad8f5f7d3e345ba6fa7dbb7f493de47

SHA1
9f1c8e4b33dfb0cf7e128276ff88f8b54647a185

SHA256
fd9a1ad14940de643be6d44017fd0559e2f753048916cadfc7016ede4ddc845b

SHA512
27a7842e3725ab143d0f3b47ac3e0fd0310ecf59a458c982fa60c951032709c5c25078f9e4b92c03cd85640a38f923b32e995e4a8cc8dfe92ed7e55c74b494f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqD8Kg9ZPx.bat

Filesize
230B

MD5
f92ed9598de81bfe3855d6ebea1a4e12

SHA1
b9a8edb64b7bec979b1d34fa10b56c08e702ccf8

SHA256
006635a95831deff8d9711479715936cdc2c78d1626fc93531a22586a6aa8743

SHA512
4f8fba787bf6ab5d6852bd10ebe5c34a8db198a39f4bb60f5536215122d11006769375506eb2edc801533f821055a21d92c41eab749a37a3efd2f56a82076e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7I79JDTCUOGORQ6VVS9K.temp

Filesize
7KB

MD5
281b7d39e73a65253697c7c5c83e48a6

SHA1
1a4e8b68bbd575b2530b2674609b5bb9362de64d

SHA256
bcad73ff9360aed833b531c697a9cbc1fff1c976c960a8ed685a3b80d11e3135

SHA512
5e6775556c6828398849095640cae5a1d02fbe2594c2ea0d11ffea67be8ec41741cbfe9af58e3001ed60feeda5dff63c65fed0576521db07055038a7ea29491d

Download Submit
\DriverHostCrtNet\comSvc.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
\DriverHostCrtNet\comSvc.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
memory/472-419-0x00000000026CB000-0x0000000002702000-memory.dmp

Filesize
220KB

Download
memory/524-416-0x00000000029CB000-0x0000000002A02000-memory.dmp

Filesize
220KB

Download
memory/524-418-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/536-421-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/948-413-0x000000000254B000-0x0000000002582000-memory.dmp

Filesize
220KB

Download
memory/948-348-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/948-394-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/948-411-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/948-398-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1008-420-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1008-417-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1460-84-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/1460-81-0x000000001A7F0000-0x000000001A7F8000-memory.dmp

Filesize
32KB

Download
memory/1460-319-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-283-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-267-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-235-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-336-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-234-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-75-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/1460-233-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-209-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-208-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-184-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-161-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-148-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-136-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-135-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-85-0x000000001A830000-0x000000001A83C000-memory.dmp

Filesize
48KB

Download
memory/1460-83-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-80-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/1460-76-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1460-78-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/1460-73-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/1460-74-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1460-72-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/1460-79-0x000000001A800000-0x000000001A80C000-memory.dmp

Filesize
48KB

Download
memory/1460-67-0x0000000001120000-0x00000000012E6000-memory.dmp

Filesize
1.8MB

Download
memory/1460-290-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-68-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/1460-71-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/1460-69-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/1460-82-0x000000001A810000-0x000000001A81E000-memory.dmp

Filesize
56KB

Download
memory/1460-70-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/1604-409-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/1604-407-0x000000000228B000-0x00000000022C2000-memory.dmp

Filesize
220KB

Download
memory/1616-406-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1616-408-0x000000000281B000-0x0000000002852000-memory.dmp

Filesize
220KB

Download
memory/1616-393-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1732-399-0x00000000028EB000-0x0000000002922000-memory.dmp

Filesize
220KB

Download
memory/1732-397-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1732-396-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1732-395-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1732-346-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/1936-404-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1936-401-0x000000000257B000-0x00000000025B2000-memory.dmp

Filesize
220KB

Download
memory/1948-402-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/1948-403-0x0000000002204000-0x0000000002207000-memory.dmp

Filesize
12KB

Download
memory/1948-405-0x000000000220B000-0x0000000002242000-memory.dmp

Filesize
220KB

Download
memory/1948-400-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/1968-415-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1968-414-0x000000000295B000-0x0000000002992000-memory.dmp

Filesize
220KB

Download
memory/1968-412-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1968-410-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download