dcrat | 33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe
Size

1.3MB
MD5

f6c526beae7acf77e273aca4975f69be
SHA1

0ef07458c136bc408beade60a3e3eeca142f1d0b
SHA256

33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b
SHA512

2bd7b53625db63e663b394d16639c8f8874ab5696476f4cf323ec41d042840e503b76e82de1519a71aa3bebfe69687bda46506930658b0f1681147b0c5d1a445
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2724	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c66-9.dat	dcrat
behavioral1/memory/2908-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/1052-36-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/1996-132-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1692-193-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/488-312-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/756-372-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/2652-491-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2672-668-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
1712	powershell.exe
1724	powershell.exe
2932	powershell.exe
2852	powershell.exe
2832	powershell.exe
1676	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2908	DllCommonsvc.exe
1052	cmd.exe
1996	cmd.exe
1692	cmd.exe
1516	cmd.exe
488	cmd.exe
756	cmd.exe
3048	cmd.exe
2652	cmd.exe
2804	cmd.exe
2020	cmd.exe
2672	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
840	cmd.exe
840	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\Sorting\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Globalization\Sorting\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Globalization\Sorting\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe
1000	schtasks.exe
2768	schtasks.exe
2924	schtasks.exe
1596	schtasks.exe
1008	schtasks.exe
1864	schtasks.exe
1260	schtasks.exe
2892	schtasks.exe
2764	schtasks.exe
2116	schtasks.exe
1196	schtasks.exe
1976	schtasks.exe
2628	schtasks.exe
1340	schtasks.exe
2184	schtasks.exe
1356	schtasks.exe
1200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2908	DllCommonsvc.exe
1676	powershell.exe
1704	powershell.exe
1712	powershell.exe
2832	powershell.exe
2932	powershell.exe
2852	powershell.exe
1052	cmd.exe
1724	powershell.exe
1996	cmd.exe
1692	cmd.exe
1516	cmd.exe
488	cmd.exe
756	cmd.exe
3048	cmd.exe
2652	cmd.exe
2804	cmd.exe
2020	cmd.exe
2672	cmd.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	DllCommonsvc.exe
Token: SeDebugPrivilege	1052	cmd.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1996	cmd.exe
Token: SeDebugPrivilege	1692	cmd.exe
Token: SeDebugPrivilege	1516	cmd.exe
Token: SeDebugPrivilege	488	cmd.exe
Token: SeDebugPrivilege	756	cmd.exe
Token: SeDebugPrivilege	3048	cmd.exe
Token: SeDebugPrivilege	2652	cmd.exe
Token: SeDebugPrivilege	2804	cmd.exe
Token: SeDebugPrivilege	2020	cmd.exe
Token: SeDebugPrivilege	2672	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2912	1776	JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe	30
PID 1776 wrote to memory of 2912	1776	JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe	30
PID 1776 wrote to memory of 2912	1776	JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe	30
PID 1776 wrote to memory of 2912	1776	JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe	30
PID 2912 wrote to memory of 840	2912	WScript.exe	31
PID 2912 wrote to memory of 840	2912	WScript.exe	31
PID 2912 wrote to memory of 840	2912	WScript.exe	31
PID 2912 wrote to memory of 840	2912	WScript.exe	31
PID 840 wrote to memory of 2908	840	cmd.exe	33
PID 840 wrote to memory of 2908	840	cmd.exe	33
PID 840 wrote to memory of 2908	840	cmd.exe	33
PID 840 wrote to memory of 2908	840	cmd.exe	33
PID 2908 wrote to memory of 1704	2908	DllCommonsvc.exe	53
PID 2908 wrote to memory of 1704	2908	DllCommonsvc.exe	53
PID 2908 wrote to memory of 1704	2908	DllCommonsvc.exe	53
PID 2908 wrote to memory of 1712	2908	DllCommonsvc.exe	54
PID 2908 wrote to memory of 1712	2908	DllCommonsvc.exe	54
PID 2908 wrote to memory of 1712	2908	DllCommonsvc.exe	54
PID 2908 wrote to memory of 1724	2908	DllCommonsvc.exe	55
PID 2908 wrote to memory of 1724	2908	DllCommonsvc.exe	55
PID 2908 wrote to memory of 1724	2908	DllCommonsvc.exe	55
PID 2908 wrote to memory of 1676	2908	DllCommonsvc.exe	58
PID 2908 wrote to memory of 1676	2908	DllCommonsvc.exe	58
PID 2908 wrote to memory of 1676	2908	DllCommonsvc.exe	58
PID 2908 wrote to memory of 2932	2908	DllCommonsvc.exe	59
PID 2908 wrote to memory of 2932	2908	DllCommonsvc.exe	59
PID 2908 wrote to memory of 2932	2908	DllCommonsvc.exe	59
PID 2908 wrote to memory of 2832	2908	DllCommonsvc.exe	60
PID 2908 wrote to memory of 2832	2908	DllCommonsvc.exe	60
PID 2908 wrote to memory of 2832	2908	DllCommonsvc.exe	60
PID 2908 wrote to memory of 2852	2908	DllCommonsvc.exe	61
PID 2908 wrote to memory of 2852	2908	DllCommonsvc.exe	61
PID 2908 wrote to memory of 2852	2908	DllCommonsvc.exe	61
PID 2908 wrote to memory of 1052	2908	DllCommonsvc.exe	67
PID 2908 wrote to memory of 1052	2908	DllCommonsvc.exe	67
PID 2908 wrote to memory of 1052	2908	DllCommonsvc.exe	67
PID 1052 wrote to memory of 2960	1052	cmd.exe	69
PID 1052 wrote to memory of 2960	1052	cmd.exe	69
PID 1052 wrote to memory of 2960	1052	cmd.exe	69
PID 2960 wrote to memory of 2620	2960	cmd.exe	71
PID 2960 wrote to memory of 2620	2960	cmd.exe	71
PID 2960 wrote to memory of 2620	2960	cmd.exe	71
PID 2960 wrote to memory of 1996	2960	cmd.exe	72
PID 2960 wrote to memory of 1996	2960	cmd.exe	72
PID 2960 wrote to memory of 1996	2960	cmd.exe	72
PID 1996 wrote to memory of 1940	1996	cmd.exe	73
PID 1996 wrote to memory of 1940	1996	cmd.exe	73
PID 1996 wrote to memory of 1940	1996	cmd.exe	73
PID 1940 wrote to memory of 1448	1940	cmd.exe	75
PID 1940 wrote to memory of 1448	1940	cmd.exe	75
PID 1940 wrote to memory of 1448	1940	cmd.exe	75
PID 1940 wrote to memory of 1692	1940	cmd.exe	76
PID 1940 wrote to memory of 1692	1940	cmd.exe	76
PID 1940 wrote to memory of 1692	1940	cmd.exe	76
PID 1692 wrote to memory of 880	1692	cmd.exe	77
PID 1692 wrote to memory of 880	1692	cmd.exe	77
PID 1692 wrote to memory of 880	1692	cmd.exe	77
PID 880 wrote to memory of 1252	880	cmd.exe	79
PID 880 wrote to memory of 1252	880	cmd.exe	79
PID 880 wrote to memory of 1252	880	cmd.exe	79
PID 880 wrote to memory of 1516	880	cmd.exe	80
PID 880 wrote to memory of 1516	880	cmd.exe	80
PID 880 wrote to memory of 1516	880	cmd.exe	80
PID 1516 wrote to memory of 2596	1516	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33b4c674329533df4421a2e5198d0e9498a642f806e8a32f9a09c22ee455cb9b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2620
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1448
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1252
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        12⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:272
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        14⤵
        
        PID:1176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2004
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
        16⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2492
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        18⤵
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2916
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        20⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1844
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
        22⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2148
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        24⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2112
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        26⤵
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\Sorting\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9407d0d8c2f7d7ee17609cf53abd6db2

SHA1
856843271dee208034ea03a989766605b6cb2b38

SHA256
d40843a9f2337d6eb0170f8319aa0a7583fa551cafc8e708a5be1f5be0bcc078

SHA512
9018e45231123f3e091169241cac4d4c49f1e8666ff27f814d21a43d992a5094d8ff002120ea0b0ca829003c0857bfdb67a46cb6b0d47ac7a8fd502a53d3183c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c5a6a5a39fc9c06ea3c51aef6801ee4

SHA1
0cb27507b261e8163639246d6fc2645f690ef1d5

SHA256
cda91599fcddec442cecaa19f7d2f026b06446bb12203c2071e8469c0def0312

SHA512
ecd28a724a8d1cc15d774164022cfec5584c0e02e1f39c6a7e2746c4cbb220d9c117275a68b9ecb886d328d28e24b739dd519442c26a22bcae393ff48b47202c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0da70a27ff661d6aa80103dde97905c

SHA1
63102582ba55e603661edd06c2f1fd7747893aa1

SHA256
462350b79dc201abc98015fd15c1d2697116bbdaab59f777f5e11f0cffd2b967

SHA512
5ba7d8c1d134d244f5296519cd89545d8b96ae7e56361635c68ea86b2eb0b3147acfc1ca00d33dac4afb743d47093a0d59bd5209570e309bb1b7b3a7da58e23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c700e2d2a1c1e33560110cb35237d54

SHA1
712cbd46ea2f4fc3943556a3276d356a90ea1fc5

SHA256
b5f6760f41d3c852c86e8608d05a2969cb77fcd31beeae96d9afd8430a0017b9

SHA512
cc42d22be0488d2c89be4830c00360c2b3c7077c70988e4e8d6b22ff5bdd714e3c0db7a97d9433a59ecb41268a671dc3e94f45040797bb87fe2fc917e8aed365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db79f363441fcd8051321f09472a4e0d

SHA1
ef418b151f6a28c4fb1d9a4272dae19235be8775

SHA256
6b316b1064e61e34895041d8a990bc550c51badb9f9bdcfd3b152ab90c9d19c2

SHA512
a069ebeb9d7192dfb0cd8611966594e7046eb5163ea2484fe5fd27920fdb51b3379a40884c487b4fb567c75e1cf66a603d359b567e74d84d1bb3a682cacd1a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf08446452921f294e211aee17b63eac

SHA1
0dafce6d680ceea9b0ddb4a61fa2a3f12eb0e28c

SHA256
a39618b2198783082af6ac9d56b0472d0730d1cd6485776b3b4ee1e8c249f74f

SHA512
e2030089eb3871b7eef4635e9b9699b58f94a214693f935326812bc14e29f47d634c522da62398139cbdf0b9c39e903e556c588f5d5ed692c91a548f177022a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a7ba270ad51ede3a1278db8281a49f

SHA1
83d067ae5dd88c110942e5cd7c6da581e7c98561

SHA256
8c04cbd20c6ca4791fa75b25e01ad5daf19bbdcf652714dfa1799d5e42276c5f

SHA512
8146f6c12526eb495d679e95ad299f9d27b5019de9997d0afa3b299e740dc35f2c5164c9f8117843968d63dc5eb19b3a9aea0081f85a30a6fc9039b59b130b0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f62ceb08fc1e1e3c858e5c2173a1041

SHA1
d335e75839aaa75596ec91820e4ff368e33ca6be

SHA256
a372ce0dc64cf13ea5a4603e8b16cd4f332c78f2f39104697c925a4c9317a5de

SHA512
ce4fdf3d4e01d236a6dfe33cf383e236bcccaaa48a4c4c081ba70962230e3ea197e32a7ac975ffb249eb3f63f37b260f85bd39319b85fc685ccf78b4c1cbbe23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6562f348ed73ff84e035157bf6753c8b

SHA1
4e8edc4074509f0234885a29aa60745b57499bfe

SHA256
eaec767db51c444c82ec98bc767aab1ac55a3684663d5071bfc5b09ad9cf7b99

SHA512
a72d175c4d0f2747186516f7dc1f53f501d6baf88cbf3fa45fbfbd4dbaeb30d52b081d1d717a7d3e78317be5889cf24c698f831e799030db228e3e03353e4924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ebeb67b20a1ff6f3f727374bb8a524c

SHA1
84e6b3d4968dc4e2b1b4f40164bcb1ced084a8ba

SHA256
616264cd506bb7ffb87f69cb6d132a29ed653b3df4a584b51b8f7394866c5f72

SHA512
2a01ca6233f683f1b9553833d5ded5628b612d9f3529b70b59c4eda1d26ca29419e690358a0a6f0de321666d80b86834009163226a88828111710c67fb6c34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
235B

MD5
0856cf33e5409155a82f0c721b54e34b

SHA1
2bbc4e3c283370a06ce911dd6875aae2cb6702fd

SHA256
ef817336e9fd83e193ac40845b0c71baea7f5d89ef8e54ffcbfcaa4b890e520b

SHA512
be797964c72efcf304a4c4f0947524d355ed33319cc6923c58bac23dbd01ea6c9712a680eb79afd86126f22bb610e58fc794b05c7288fd1c0ec1ea172a33b93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
235B

MD5
3c67ccabcb963ad44fca7702b3914abb

SHA1
167d5cbb554bb3edf113c3c82c55087cf8985aa9

SHA256
6ebab58e036585c1c886b04350a08f9875203362f7a3fcb17663148702ec0395

SHA512
684905ba5302335ab9efeeeaff48dfde935828795f86442cda87326e2001084fa9440956ef0d91a6fce1de350b21c5487495156a21ca7af711f9cd082aca3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
235B

MD5
7e56f8c3e401ea339da675854a451459

SHA1
3252c2f89fd321be0c6c3b7f9d4f6b15b52576d3

SHA256
523bf118fd3926fe9a8fff2f5d3912d0d4fd1a5e97b27168c1f1b29ef76e5cd7

SHA512
d865ed11b7a36b6b7a318a361daad0cbfd616899f6620d66b024bebed1b2b5e1b1984f5e527a4bd77a94a746858a7506ee4f8c6c67cb680196ffeb3d04ad5d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
235B

MD5
5872c3e75a4ebe7645d08d6125800dc3

SHA1
58c3f1d8f35738c63c5be81e2ca8305656549f65

SHA256
2e22e0476f0c555bf1fa99d70eb8b12cbcccfa82fc628aaab14d3bb7b37697a9

SHA512
e719e67abedc9013e8e0513482dc6228b0f454dd213d63589157d23d76afad57e9e4c9a05baa06ffc7f41f5dad988e200f0e6003a7a1933d10729295ef679918

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF9FA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA0D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
235B

MD5
746b5b1912ace6814e374e50ad4a30e0

SHA1
4f16f127cc00556fa344a33a8dcf11ebcd5779b9

SHA256
3ba755af2ee5acefe706323f3cf185d2c6c377109d0d347a7a594dc32453f41f

SHA512
7276e45fc7412c903596e0cf964fa557e781026de1c50bf50b2d37ba87a98428e7c24a789ba60c7087b0ad548cd794683ffe8b491c795fd5d6e2d752374e1dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
235B

MD5
4d631f6d977f3079d2ae2a614791081b

SHA1
69719441aa30d1942f59d6c0cb050801176ec218

SHA256
1676e555a7b3e39f51cfeb10c2a0489a64e553ea10064710d9c4ab6a36f7aed3

SHA512
7d53c7b94adb19a1481189f261df5e27b59b0f0d5b696111b514cca5614593f51057b706cdf55332c27c279ac54d03f6f2e8635cb7a9fd60a9660fe0432f397a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
235B

MD5
641af65064deaf1c6893550cc6a5b6b7

SHA1
f8f493864f2e0502d1d8805865c35b959452764e

SHA256
c2075c608e6cc654a5e7591f5bcb339786b62ec4599966f7e20f4e0ab0482f6d

SHA512
cae55df01049023365e8491b21dcfd9ae60a34d22a20cde7891ce2b5f5b6b1c44069f745c804bf6663cecd4a4d46ec63de3dc4667a4f51e8359c44312eb92a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
235B

MD5
c24b0d12c82359eb21d1f21b8b268ce4

SHA1
aa45abd5e1944d24ffa382445ff5a0b73fd97c74

SHA256
cc94030b25eab4fd0535e0cb4bc177c7a0832d4030b585534108c447f311d68f

SHA512
1dc91c5caf4b0943a30e74452fed89f62a3ef59215f5501bc973c2260270fff5f5c7ee8ef4b06c2591f6935c8869f0198ba277707f0f72790ae311c103d99dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

Filesize
235B

MD5
d7b554fd6b077a8e87c8270d0ab601dd

SHA1
321eaf313de3f08a009b1d2de05e531155d1234d

SHA256
8d3ef2e1da43ba1de27f49cb1b612ce0be74891b4c1b08b89b8e7f07482229d2

SHA512
f95c7830ffc3058c2b5d2cbc0e4327f8c570aeb6838d94b9d0bf47cdbfbe516cda4c3a5a350c5307e9d30adf1b62fbf5232751c720ea72de37d1f41cc341d6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

Filesize
235B

MD5
1e552631a9cb32d740504ba2cf4bcaba

SHA1
dd17d87e039a081f730416c4f5a60f7e3de98ac1

SHA256
97a262889b88236756dfd839782fba0849e7563caefac2c728148adbbc42eeb9

SHA512
0241c3760b749486183ab21958ce74254855041cb7d13d4969ed60227dc7365a9966d4dcf7acde2a634b19481afb4270f2c5925b5583ff75018cec8ddcd30fea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
afe0ae7de73eb49f64f5098d4b450d8c

SHA1
34287eeb49942bf9e7c8f123c3dee8888b6fb194

SHA256
ecad8592d2982c34b054088ffdc38a96726b924c4d20c0cf6eecbc309d48a805

SHA512
123bb4eb806771df4ae8f2b5ad8aa79c916fd56a305136e99d916233a0b1d2c3cc81fab77698e9540c49c16724b97b34fcb1424f072f2ab3e969086e404633bb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/488-312-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/756-372-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/1052-68-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1052-36-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/1676-56-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1676-51-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1692-193-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/1996-133-0x0000000002010000-0x0000000002022000-memory.dmp

Filesize
72KB

Download
memory/1996-132-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2652-491-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/2672-668-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2908-17-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2908-16-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/2908-15-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/2908-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2908-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download