dcrat | 03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe
Size

1.3MB
MD5

77266b5b46cec426fa2f0ce59d18bad6
SHA1

c9e6dfa081a2188bb8e4b33ca7f24175e78ca9d3
SHA256

03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263
SHA512

9b5efecea3143cbd2ea76b014e6e8b19684f40328ddd48008375509e84b538b46e93b0327471ac8526de468d04df08f14f87ea6a15feff582ce7844ff206f344
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2752	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b8-9.dat	dcrat
behavioral1/memory/1824-13-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/2668-73-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2256-270-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
780	powershell.exe
1960	powershell.exe
1096	powershell.exe
560	powershell.exe
1896	powershell.exe
320	powershell.exe
1992	powershell.exe
1592	powershell.exe
2312	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1824	DllCommonsvc.exe
2668	DllCommonsvc.exe
2008	DllCommonsvc.exe
1740	DllCommonsvc.exe
2256	DllCommonsvc.exe
1216	DllCommonsvc.exe
2440	DllCommonsvc.exe
2596	DllCommonsvc.exe
1672	DllCommonsvc.exe
1500	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	cmd.exe
3004	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\en-US\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
940	schtasks.exe
2836	schtasks.exe
1640	schtasks.exe
1776	schtasks.exe
2180	schtasks.exe
2568	schtasks.exe
3056	schtasks.exe
1672	schtasks.exe
2808	schtasks.exe
2696	schtasks.exe
2544	schtasks.exe
2824	schtasks.exe
2604	schtasks.exe
2076	schtasks.exe
1548	schtasks.exe
2560	schtasks.exe
2104	schtasks.exe
2452	schtasks.exe
2144	schtasks.exe
1684	schtasks.exe
316	schtasks.exe
2460	schtasks.exe
2212	schtasks.exe
1624	schtasks.exe
896	schtasks.exe
2008	schtasks.exe
840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1824	DllCommonsvc.exe
320	powershell.exe
1960	powershell.exe
1992	powershell.exe
780	powershell.exe
1592	powershell.exe
560	powershell.exe
2640	powershell.exe
1896	powershell.exe
1096	powershell.exe
2312	powershell.exe
2668	DllCommonsvc.exe
2008	DllCommonsvc.exe
1740	DllCommonsvc.exe
2256	DllCommonsvc.exe
1216	DllCommonsvc.exe
2440	DllCommonsvc.exe
2596	DllCommonsvc.exe
1672	DllCommonsvc.exe
1500	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	DllCommonsvc.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2668	DllCommonsvc.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2008	DllCommonsvc.exe
Token: SeDebugPrivilege	1740	DllCommonsvc.exe
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	1216	DllCommonsvc.exe
Token: SeDebugPrivilege	2440	DllCommonsvc.exe
Token: SeDebugPrivilege	2596	DllCommonsvc.exe
Token: SeDebugPrivilege	1672	DllCommonsvc.exe
Token: SeDebugPrivilege	1500	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe	30
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 3004 wrote to memory of 1824	3004	cmd.exe	33
PID 3004 wrote to memory of 1824	3004	cmd.exe	33
PID 3004 wrote to memory of 1824	3004	cmd.exe	33
PID 3004 wrote to memory of 1824	3004	cmd.exe	33
PID 1824 wrote to memory of 1960	1824	DllCommonsvc.exe	62
PID 1824 wrote to memory of 1960	1824	DllCommonsvc.exe	62
PID 1824 wrote to memory of 1960	1824	DllCommonsvc.exe	62
PID 1824 wrote to memory of 1592	1824	DllCommonsvc.exe	63
PID 1824 wrote to memory of 1592	1824	DllCommonsvc.exe	63
PID 1824 wrote to memory of 1592	1824	DllCommonsvc.exe	63
PID 1824 wrote to memory of 2312	1824	DllCommonsvc.exe	64
PID 1824 wrote to memory of 2312	1824	DllCommonsvc.exe	64
PID 1824 wrote to memory of 2312	1824	DllCommonsvc.exe	64
PID 1824 wrote to memory of 560	1824	DllCommonsvc.exe	65
PID 1824 wrote to memory of 560	1824	DllCommonsvc.exe	65
PID 1824 wrote to memory of 560	1824	DllCommonsvc.exe	65
PID 1824 wrote to memory of 1896	1824	DllCommonsvc.exe	66
PID 1824 wrote to memory of 1896	1824	DllCommonsvc.exe	66
PID 1824 wrote to memory of 1896	1824	DllCommonsvc.exe	66
PID 1824 wrote to memory of 320	1824	DllCommonsvc.exe	67
PID 1824 wrote to memory of 320	1824	DllCommonsvc.exe	67
PID 1824 wrote to memory of 320	1824	DllCommonsvc.exe	67
PID 1824 wrote to memory of 1096	1824	DllCommonsvc.exe	68
PID 1824 wrote to memory of 1096	1824	DllCommonsvc.exe	68
PID 1824 wrote to memory of 1096	1824	DllCommonsvc.exe	68
PID 1824 wrote to memory of 2640	1824	DllCommonsvc.exe	69
PID 1824 wrote to memory of 2640	1824	DllCommonsvc.exe	69
PID 1824 wrote to memory of 2640	1824	DllCommonsvc.exe	69
PID 1824 wrote to memory of 1992	1824	DllCommonsvc.exe	70
PID 1824 wrote to memory of 1992	1824	DllCommonsvc.exe	70
PID 1824 wrote to memory of 1992	1824	DllCommonsvc.exe	70
PID 1824 wrote to memory of 780	1824	DllCommonsvc.exe	71
PID 1824 wrote to memory of 780	1824	DllCommonsvc.exe	71
PID 1824 wrote to memory of 780	1824	DllCommonsvc.exe	71
PID 1824 wrote to memory of 2668	1824	DllCommonsvc.exe	82
PID 1824 wrote to memory of 2668	1824	DllCommonsvc.exe	82
PID 1824 wrote to memory of 2668	1824	DllCommonsvc.exe	82
PID 2668 wrote to memory of 3056	2668	DllCommonsvc.exe	83
PID 2668 wrote to memory of 3056	2668	DllCommonsvc.exe	83
PID 2668 wrote to memory of 3056	2668	DllCommonsvc.exe	83
PID 3056 wrote to memory of 936	3056	cmd.exe	85
PID 3056 wrote to memory of 936	3056	cmd.exe	85
PID 3056 wrote to memory of 936	3056	cmd.exe	85
PID 3056 wrote to memory of 2008	3056	cmd.exe	86
PID 3056 wrote to memory of 2008	3056	cmd.exe	86
PID 3056 wrote to memory of 2008	3056	cmd.exe	86
PID 2008 wrote to memory of 2568	2008	DllCommonsvc.exe	87
PID 2008 wrote to memory of 2568	2008	DllCommonsvc.exe	87
PID 2008 wrote to memory of 2568	2008	DllCommonsvc.exe	87
PID 2568 wrote to memory of 592	2568	cmd.exe	89
PID 2568 wrote to memory of 592	2568	cmd.exe	89
PID 2568 wrote to memory of 592	2568	cmd.exe	89
PID 2568 wrote to memory of 1740	2568	cmd.exe	90
PID 2568 wrote to memory of 1740	2568	cmd.exe	90
PID 2568 wrote to memory of 1740	2568	cmd.exe	90
PID 1740 wrote to memory of 2084	1740	DllCommonsvc.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03098abceccc2bf031b5bf40f00076f23156e2edd77cd302fd00e1bab3082263.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:936
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:592
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"
        10⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1804
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        12⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1968
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        14⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2176
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        16⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1692
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        18⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2256
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"
        20⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:676
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acaf1907192cb1ee47be2e650adfe590

SHA1
1bf89a796e274a9988b7b17bbe2900b65d0b5d65

SHA256
c0d534d9d710433ea25a7e18dcbc8888b579f780da3535298958e3eb30f4530c

SHA512
610df2a193107752acba9bc88bb8f33c6c6bafb91acf2ac93c2251bc96a263af16f0de7684095c3c9f09b5c282dfc4dd8fd23a0e575d80265dd2171f0b953902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f1e70e1ca2944b6b953f2556a666f6a

SHA1
5b2a895315febe66ed19cd292cebf75391cbeb04

SHA256
265fc12113ad941e5edcb50487d649984323872a7ae93c97335c798df09432af

SHA512
108fd80ee51c8991acc092c08a71a27462c0696888cba8c07a87920157a0b170c07feb5aa5fb4063fc08c936d06aabc31a32c62c1be1ee3282a52ded623ce88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aa093b55946a89f0476f3197c265db3

SHA1
3dffd7fa5ea802cc371397c04c5bd1b306179002

SHA256
c630b577729994152d5d34779409f1483441922f7ce76667239d4fd29b305e7c

SHA512
dea90951dd8f279d49d8002ff2c555651c3f48a8a6b8ed617fa89e0d39fb20baa86e91803bbccb910379e112677fe5b1550f24b33e5af72bd7f0b45ecab25747

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d6d890c61009350279995a92f341513

SHA1
0f8ec04d197c1b249533bbf590edbb9c885894b0

SHA256
acc6de7bfa770c731c980c1dd96a5e074e41872a227e216c72be3c71b292db0c

SHA512
270b1db9b4f5d6d36aff1adc48e3adc2350fcbd45325a1aa503baae892af78b6d1abcbc2e6baf747e57f6ae80a70e4e50153e5923648bb26e260f84b17fc591a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea63941c8216c41c080e5d67a2abbb36

SHA1
728f769c70bf399dbafa8cb8a50bf063c5bab7de

SHA256
edf6a5de633574239a067e06aed35abbd79ed038ecf139a4383ad87f160db400

SHA512
37ee3fbd85dcf078f88556e09c3693b9694afdb95e837fb7a701b988760014efbb0c190f53d9f124abbf5b5d2ce5ceedf5307a827a29eefdf9c35148bd4c25fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad1d16f90cb39ff17aad8195142f35c4

SHA1
465897c34fa3e667d332dbe26e6e8657e40dd68d

SHA256
493161ba44810676945f529f7e9dbd133c990fb81dc130e51b56bee0d4a05767

SHA512
398bc0e6c2909c1d09cc8c713e5ebddac1a91f762e6f855ed0249dc4f935491e1a7d24288c483b8320143575d2ea5432579b1b3c143c1d19409d84c8b54bf510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a71b6c5665448e62e78f9a8a1f4c04d5

SHA1
3e641038e2b074761060976bbfce2776b637a5b2

SHA256
9909671ceff68638e89490ded3e670e679d48e80d098108567580e23b50b3adb

SHA512
cc456b9ad3a16c3c0292179a51774d7a8fdd5e7120ba9da2b51a939aad87a54aa2d866d2f3a1ba762cc526876f8e3ac36ee188f1bc6b6a8205805712d121cab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f099f91110343e07718d7f39be106843

SHA1
e404161285f66f90c641f0ce4efc0a3be384f27a

SHA256
736969d30cdf810a8636e2cf1a17f4e22ac41bf4f591a60c757122c46920eb70

SHA512
3230898e7f29b246c460b67dc9fd061a4150b1b75b3bc0227bebf2d5c4995b0a3b8937a0cf82223b4edbe4407c7724bdb24d7f35389a5c57240425ef8ea7960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat

Filesize
230B

MD5
26878ef41eca22ac9d0b3be8ebff37e5

SHA1
5e40aa1e09f65ba22db62324e6ff34d05d17a2fb

SHA256
3540ed4034abcf2bd2fc515dbaf53326aa906c5d83c84c585962dbb6dabc26ee

SHA512
0d92b20dd699b352f3906661f6f3aa5337f530dbc22396a6bf4e1c8b7921caf394031ff55c4908a994b05b5478cd7af88fb38fd034f1673e2f6073fe12f7af3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat

Filesize
230B

MD5
a5e03c67061dfaf254fefb7f154c9998

SHA1
587398889601d84609dd0563f49d83a7d13af2cb

SHA256
a2566f2b2266b030eed9404ff57d83a43c502a4b4122d60019211561e6083767

SHA512
044329a79723480b06fa80f741dc541f947aa53b6cfd6c8d69bf13f591e144051ec371506a02594ea9e68e5341e0a3434e99842588d68a57968f6a42ba97e8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
230B

MD5
8d8aa796d68309fd0a3ede339dfde331

SHA1
7fc74a565fd0adf68dc7f0cc8d6baa9de3f9b149

SHA256
6023cd865a65fe8f4dd914609af93aac6e6678b096c623ee265cfbf6c726f0f4

SHA512
1283fd4832115eb131bb918a4466f244b93037ef2fe4d584df693fee7220aee2fd87c5a062ebad3c21b72c5f56d76927fe718eccd7f7ec36b433f52abe978c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E8A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EFB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
230B

MD5
fa094bd6c00fef87147b4907bbabcd74

SHA1
b55d21ac6fbde9d52e2c86b65b00ba35719fa679

SHA256
c7d63eb05a99d98020fbdade3b7a839d030531766ddf5bced1abb858a875c617

SHA512
0ac5d30cb8834b5351da6dd586e70628d49a451287f450ac0f5d173a5c713685350f08aecbb322d1acd42b01cb21d465f5d21f1de55f73e7ee74691977c67e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
230B

MD5
1efc2e4f58322da7ae93159701ee7802

SHA1
2a6d44e2862c030ab6955977acc6e372280415cd

SHA256
c4cf57f4452008c1f44badd07991b5233877701034145a2ff626b429047fe47d

SHA512
59e8bf767c2f487d1ee657b37e4b28991951ba42b94b84d9530b2c2711b4a05805bfdb92a753a48d02bcf3d13f17a6e29d92fd96b1edcbf77f67713c5c49ea43

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
230B

MD5
3f893bc298fad9f2c484db638475fc2e

SHA1
d43ef996561403b33d1eb38f416d697923fa46cc

SHA256
eee2b1e43d9eb2522e9beacd4bbf491b918932345c92879ed23dcd3084f14244

SHA512
09dd6cb047bb4b63ecc925c8a466cde746ee4927cc52d3e9a7c9be536547ff3707639be82249cd227c8f3b00dfd46e4c0d9c3c17abdc4696e715658027cd3c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
230B

MD5
8f28fe12e445f877edba9875de000283

SHA1
b55a68827a712be59d7d0f06995a4dde4f7a2880

SHA256
aa7de0b60f192f69ab0fc48533450cbfef8f284ebbdbed8a3f1f8a84cb734dac

SHA512
3eb82314c11a18dc56ed63d8c76c0b1b4fc24a1f8efeb92edb921b6f6381830281b3fbfab3a4ec7bfadd7ec62da6963ea95b1ab5b97a6238df6dd308cabd7370

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
230B

MD5
caf75440b9ada4f55bfd42244d837651

SHA1
bb7ef5f492c6f005d78802241c3c786b4777f538

SHA256
081df07d959480cf2b15eade37bde265619b58e6079af6ce01fedffd46c30ae7

SHA512
85648f9e51fb9cacb9526a864ff3e139a3a8c245882bae11e3fc78d6e9c0b512f0d3efb2936ad9a74a0b20ed9466657b8b89c13cbf441c50d9b1ab908dbdcbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f3f9d2f4b5a0e1234a2801adc0c5b06b

SHA1
fb22d02c267a2b655ca6a5a9ff0cf48232af3d0f

SHA256
8093a08607c790c63bf845588c6b4f9d8a98b19fdfb1c02dc600b9568b1eb05c

SHA512
4b309ddbf20ce537efdc0eadd594f38a9eba6c49459f1c11cdb3bd0fce8c9f62f309f878f3e82298b1d13cdf5edbeb7b11e9d43de76053ee3779d765b3e754f9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/320-50-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/320-58-0x00000000026B0000-0x00000000026B8000-memory.dmp

Filesize
32KB

Download
memory/1824-17-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/1824-16-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/1824-15-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/1824-14-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1824-13-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2256-271-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2256-270-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2668-73-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download