dcrat | 44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe
Size

1.3MB
MD5

0af9118625045687f41b4c0c8239d1bf
SHA1

5853685879a1fceb0eb4a3caa0366966fda24996
SHA256

44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f
SHA512

dae582b807dea65caa9e86c6a31e6583db8f01494b0f8a23d238641b2c7d528cd054138e8054ed9cd38a45bab47970a3e6f5874a289d26de7cc8b6dc753aa49e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2712	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2712	schtasks.exe	33

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000018334-9.dat	dcrat
behavioral1/memory/3024-13-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1572-139-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/2972-258-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/3068-319-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/3004-379-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
1148	powershell.exe
600	powershell.exe
2456	powershell.exe
268	powershell.exe
948	powershell.exe
976	powershell.exe
2616	powershell.exe
1956	powershell.exe
580	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
3024	DllCommonsvc.exe
2044	wininit.exe
1572	wininit.exe
3000	wininit.exe
2972	wininit.exe
3068	wininit.exe
3004	wininit.exe
1584	wininit.exe
836	wininit.exe
2956	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	cmd.exe
2848	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\services.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\IME\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Windows\IME\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2464	schtasks.exe
2336	schtasks.exe
1128	schtasks.exe
432	schtasks.exe
2208	schtasks.exe
2316	schtasks.exe
2108	schtasks.exe
2936	schtasks.exe
2532	schtasks.exe
2900	schtasks.exe
1788	schtasks.exe
2836	schtasks.exe
2572	schtasks.exe
3064	schtasks.exe
972	schtasks.exe
1028	schtasks.exe
752	schtasks.exe
2232	schtasks.exe
2092	schtasks.exe
2052	schtasks.exe
2288	schtasks.exe
1032	schtasks.exe
3068	schtasks.exe
2320	schtasks.exe
2132	schtasks.exe
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3024	DllCommonsvc.exe
1956	powershell.exe
600	powershell.exe
580	powershell.exe
268	powershell.exe
976	powershell.exe
1600	powershell.exe
1148	powershell.exe
2616	powershell.exe
948	powershell.exe
2456	powershell.exe
2044	wininit.exe
1572	wininit.exe
3000	wininit.exe
2972	wininit.exe
3068	wininit.exe
3004	wininit.exe
1584	wininit.exe
836	wininit.exe
2956	wininit.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	DllCommonsvc.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2044	wininit.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1572	wininit.exe
Token: SeDebugPrivilege	3000	wininit.exe
Token: SeDebugPrivilege	2972	wininit.exe
Token: SeDebugPrivilege	3068	wininit.exe
Token: SeDebugPrivilege	3004	wininit.exe
Token: SeDebugPrivilege	1584	wininit.exe
Token: SeDebugPrivilege	836	wininit.exe
Token: SeDebugPrivilege	2956	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2968	2172	JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe	29
PID 2172 wrote to memory of 2968	2172	JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe	29
PID 2172 wrote to memory of 2968	2172	JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe	29
PID 2172 wrote to memory of 2968	2172	JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe	29
PID 2968 wrote to memory of 2848	2968	WScript.exe	30
PID 2968 wrote to memory of 2848	2968	WScript.exe	30
PID 2968 wrote to memory of 2848	2968	WScript.exe	30
PID 2968 wrote to memory of 2848	2968	WScript.exe	30
PID 2848 wrote to memory of 3024	2848	cmd.exe	32
PID 2848 wrote to memory of 3024	2848	cmd.exe	32
PID 2848 wrote to memory of 3024	2848	cmd.exe	32
PID 2848 wrote to memory of 3024	2848	cmd.exe	32
PID 3024 wrote to memory of 268	3024	DllCommonsvc.exe	61
PID 3024 wrote to memory of 268	3024	DllCommonsvc.exe	61
PID 3024 wrote to memory of 268	3024	DllCommonsvc.exe	61
PID 3024 wrote to memory of 580	3024	DllCommonsvc.exe	62
PID 3024 wrote to memory of 580	3024	DllCommonsvc.exe	62
PID 3024 wrote to memory of 580	3024	DllCommonsvc.exe	62
PID 3024 wrote to memory of 2456	3024	DllCommonsvc.exe	63
PID 3024 wrote to memory of 2456	3024	DllCommonsvc.exe	63
PID 3024 wrote to memory of 2456	3024	DllCommonsvc.exe	63
PID 3024 wrote to memory of 1956	3024	DllCommonsvc.exe	65
PID 3024 wrote to memory of 1956	3024	DllCommonsvc.exe	65
PID 3024 wrote to memory of 1956	3024	DllCommonsvc.exe	65
PID 3024 wrote to memory of 2616	3024	DllCommonsvc.exe	67
PID 3024 wrote to memory of 2616	3024	DllCommonsvc.exe	67
PID 3024 wrote to memory of 2616	3024	DllCommonsvc.exe	67
PID 3024 wrote to memory of 600	3024	DllCommonsvc.exe	70
PID 3024 wrote to memory of 600	3024	DllCommonsvc.exe	70
PID 3024 wrote to memory of 600	3024	DllCommonsvc.exe	70
PID 3024 wrote to memory of 976	3024	DllCommonsvc.exe	71
PID 3024 wrote to memory of 976	3024	DllCommonsvc.exe	71
PID 3024 wrote to memory of 976	3024	DllCommonsvc.exe	71
PID 3024 wrote to memory of 1148	3024	DllCommonsvc.exe	73
PID 3024 wrote to memory of 1148	3024	DllCommonsvc.exe	73
PID 3024 wrote to memory of 1148	3024	DllCommonsvc.exe	73
PID 3024 wrote to memory of 1600	3024	DllCommonsvc.exe	74
PID 3024 wrote to memory of 1600	3024	DllCommonsvc.exe	74
PID 3024 wrote to memory of 1600	3024	DllCommonsvc.exe	74
PID 3024 wrote to memory of 948	3024	DllCommonsvc.exe	75
PID 3024 wrote to memory of 948	3024	DllCommonsvc.exe	75
PID 3024 wrote to memory of 948	3024	DllCommonsvc.exe	75
PID 3024 wrote to memory of 2044	3024	DllCommonsvc.exe	81
PID 3024 wrote to memory of 2044	3024	DllCommonsvc.exe	81
PID 3024 wrote to memory of 2044	3024	DllCommonsvc.exe	81
PID 2044 wrote to memory of 956	2044	wininit.exe	82
PID 2044 wrote to memory of 956	2044	wininit.exe	82
PID 2044 wrote to memory of 956	2044	wininit.exe	82
PID 956 wrote to memory of 3040	956	cmd.exe	84
PID 956 wrote to memory of 3040	956	cmd.exe	84
PID 956 wrote to memory of 3040	956	cmd.exe	84
PID 956 wrote to memory of 1572	956	cmd.exe	85
PID 956 wrote to memory of 1572	956	cmd.exe	85
PID 956 wrote to memory of 1572	956	cmd.exe	85
PID 1572 wrote to memory of 1992	1572	wininit.exe	86
PID 1572 wrote to memory of 1992	1572	wininit.exe	86
PID 1572 wrote to memory of 1992	1572	wininit.exe	86
PID 1992 wrote to memory of 1396	1992	cmd.exe	88
PID 1992 wrote to memory of 1396	1992	cmd.exe	88
PID 1992 wrote to memory of 1396	1992	cmd.exe	88
PID 1992 wrote to memory of 3000	1992	cmd.exe	89
PID 1992 wrote to memory of 3000	1992	cmd.exe	89
PID 1992 wrote to memory of 3000	1992	cmd.exe	89
PID 3000 wrote to memory of 2276	3000	wininit.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a8e7438a51db754d2d7f3dccbb7c71d918f8f590dc62b6a8afd4d4c153011f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3040
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1396
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        10⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:552
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        12⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2988
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat"
        14⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2620
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        16⤵
        
        PID:272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:976
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        18⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2600
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
        20⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2376
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        22⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe3852bb380d5aae23e9ed4bd5a2e0a6

SHA1
1e6942e91ce546abe133bb05594089777ed81eef

SHA256
ac1cb99347bc7e2b20d961935fef6341548777079f5cbe20cad9adbf0face394

SHA512
88e9a116eb66a92e627918e2760b578fbeefe32140f7fdf673926aad3b1a0d283c5ab8360f4260f65c20c350ad9fa01b09dfb7f826b1b6039477207a33abba1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d011a688b188c39bd9f6fb5a098c68f2

SHA1
8062b6809b65f525e6251278d09959d912f38eca

SHA256
4d229a2bfdf5a4a5aa7545cbe4a9d1938490188f53b7bf46a0927b74ee2da298

SHA512
e294c391b0f8200f53c1d4efba1b74a791cb8bf440c3bc3dba05769d130fdc6dddaa39579b84e7c9768b122239a7b40099fdc4fbef2e3d846347c01101e8fc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
498a09b8f3dced577a2a61e773c987d6

SHA1
0f4bac75fe7d91700b6706394addf8e63327136b

SHA256
7ebe62c92e52e3ada811c82798195b5c44caa31968e4eff59361e4cf9ba76c42

SHA512
64f8b2fcdf9bd5d0f2d3a895e37583f4cbd3e7239d19800ce3c13a62b0259abbb5c9befbfccaf3df0546569d3c50be948de50131d1504756fe6d0dd0b6b23561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
997ae958c28cbaed7a6e93226b18f092

SHA1
9e11b8bf479df9683a0bc722699a49bd70fd3736

SHA256
ab1e5a041f0d50771d7728e351f422fb2ff7f06d64ed47b1442012374c62f7a9

SHA512
9fae0546315c3d4b2098cdc2285d4e6b33b8db412728d6b5015caf9b89aee63679bd2687d5d0c2e42923fdd474e7ccae73a07bab4dc820a90ebcc27f3cbf0038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bd42e1cd91123c09fac1245f71a4acf

SHA1
7cd883d752e70d18bbf8ac42c92f44727bb5fcc3

SHA256
6f14aebe901ec2b468a097cb4db7d522c689b9a5a2d1d517bcce361db06d7401

SHA512
db35824c17875ea76652ab444fc90ba0ab7a4d1700606575eeec77949a2a9d7b42e7f83ec39b61717758543c8158ce866fb7db08ce178a118052bb84e89a6316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bbd358a87285122cd739ee3ec73e35d

SHA1
3455cb271b8d9ded27955a34251af926ab4d226d

SHA256
583c911c9e078493d5408a0802f086248750bad874c6494e25a2fb088aeeb50a

SHA512
bde73482b05d57e1809b118d378b5d163dd1d00edb98f49335c2f5867f40b6b020bf8e02bcd7f5ac79a07666c884c2e89026f681c715fe1fbeb3fa9547b55dc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
369d6d27475f2eb28096e6ff2edbdec5

SHA1
9f26725a59cf75f7ce57bde419027d985d808a13

SHA256
ea168592e4a7d866a166713894a56f0afc53458bb6b197c41d7b72ee9d43de4e

SHA512
06f763bda44f6edc6215365ed0f42443936239448967d7b9175e8af6fc67792dac49c71c0d499801bff81bda740571e58ca547df6952b8829137f0a43614cc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
061187bd0afca1e05839329331741a6c

SHA1
708a13f71c20b7e21ad32e020b9fcc55b535a070

SHA256
4218a7adf860dc86e7c0c37cab9a8156111fc4ce8a853485c63600c00d48a56f

SHA512
3069132b2b93cb0ec0bcabd158dd5d1ccac9f87e4f2f7da6073443f57006d3ab9140e3a7b9a09673a9aa3c5546ed2329f74126cf423c05c4a9b97ee632af5325

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
194B

MD5
19d3bc4da99269f86fdb3522bb3ee858

SHA1
200cccb3af784d9f41451da428eb7f9e530857ac

SHA256
667dfb7d0a88f4ed96df68651b20f30f9ffcadfa12d4875fe141d03405b84ad5

SHA512
40a57234e630bb57b99c107200cdfc8ae980930677564d2df122a176748a63d0df6e697d4167866bbe79a46a5ffe536bbc5d1dc795d4ffd17e56db38d72e99c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
194B

MD5
2be530caac6ee27310fc0c89d325adf0

SHA1
89c876ccc765e2d3d16ee024c85f4a060726eb2d

SHA256
a40d6b3c74fb37e80b33914f91acafb2fd9259b2179bd40bdd40ebb143d5e9bd

SHA512
b77d8aca48543a288be4a3b6e35a344b11f5e2c57dedb45c4673b6ee85156e0ddb0c714dfb2798c9576b152a2856c6ecd77329f470ac4a2387a4cff4299ddbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5285.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

Filesize
194B

MD5
e298295e30e45e8a2f713283861a2fc2

SHA1
34633501da999315de0b65e746c8587ca7871f3c

SHA256
22489c19f25a4e4e7a2dc6c1fb9dfafd979b1ed14e6e378972085681b4a6fe6b

SHA512
a0d2548cb301aec475211409bcf6265fd3302366bb46a10affdb29d1d98e34ab740e2923e3dc5e90b5229a3e39b4135622aa874ba6350e4f02869632f6087570

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat

Filesize
194B

MD5
dbe139f5e7c543ba2494ec4512421231

SHA1
6edd5337a3064fa35e3d4b7a1a1241165b81a421

SHA256
c8352a0addbb1c2f3e70393e9ba8045da1ecce5f36688bc02f4a69bd44154150

SHA512
56125573bc23bc434eb4c7282a8a75983af13f3d5f04cb68a6950ba3c2fde9b804389be886ebaea1517f12f90f3a640e19b76c134ce54ebdbfe5a11dd0220785

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
194B

MD5
c3169881825119611bd0fbc0ce19d170

SHA1
58c166159a13bcb25e8c7f81fd87165da71d45b1

SHA256
79cb406f8cf52ed0f119b41dd393dd8c4a540a210f4c87b6d79d2de89bc45c47

SHA512
c24afa29d2d21bf537840c83e36ab95ea5b3d975a13702b222609f6bb8b49f221d3d92a01842c81108ecd514c2a4a318d639341ac0e5bd32e82a57c154e3da73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
194B

MD5
6af4e6ac427fb0ff92813b43a2c80cad

SHA1
7be9bda755bea8a6a7d7afe92469f8359085e8b6

SHA256
bcf0700b64775c31da6154ea37f9b48ca3e419f276eff25a6d4e83c83a48c046

SHA512
e9028733b4b5a30c61812ce922b161aaf91e53eba55e7cde67081684f638b1aebbe99ef93119733637ccfec908ee6a83db4a8e5a54ed68c9fa9cd2d38a161a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52C7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
194B

MD5
54e56b954fcc6eb807e103d553f4213c

SHA1
bc1149b5a4375a879b25a2aa1e3b5eb7ea7d78d0

SHA256
3fc237adea43d7270157fa42daf1effa8ee3273298d237324f50b7e35a5837ec

SHA512
d6d7070e442b346492fb756ead11c01537361befdda154aec17615ac4b8bc4b1ef4140235aaa920b3f99d0cb1044f33a627a9fc68b936ab7ed1fcc4d72bc62e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
194B

MD5
d1a045310f1adee7774d169fb26f4622

SHA1
d06358c8b300d0faa949dc3c01506c1679ae1808

SHA256
4bd59c93a6a518cbdaf0b4cb2f807282a820c5b69daebe7642b987144d43fe19

SHA512
d2c6ccdf498771ef872ea3dd2bd45c7a9120ad9913f5a3dd075b9d54ce8698f57e668a6272ae1d30fa71f4268eba1ec4e6e8cc85745004378cf8cb24d557305d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
194B

MD5
89b50aa91f391305f4e300b3e9446476

SHA1
43d614e62b4baa15b1723df01a941ee541726087

SHA256
970014cf9520facfd79afab7f2c32bb6a03c793467364488f3830acf2644fec7

SHA512
e038171e538b38d3d169a2e5190dee4535a3d2d7d2aaa56be23e87b8a1d8aa278922d5cc7e6e6e1628ba55968eb61b3d1c20a01363e8625a87058a4ace68bf8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b5095ea6b8565a53937cf168c5b40107

SHA1
a674571421afd5cc8832a957297d868ce6c2b3bb

SHA256
2c2adb1e8c9d8433e526fb337c5d78a1e49385bf210fb6534ea308baf708cfb1

SHA512
c8ede7914d57119dcc4f13e3c0c254d0ad914d1159080a1f3d8d45a195c41fecac46bf54dfb8541f52972e8471709fc21edfc6fa0faaf55f69bb7e79f764b85e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/580-52-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1572-139-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/1584-439-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1956-53-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2956-558-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2972-258-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2972-259-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/3004-379-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/3024-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/3024-13-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/3024-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3024-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/3024-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/3068-319-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download