dcrat | 1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297

Analysis

max time kernel
144s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
Size

1.3MB
MD5

0fcdaaa6d77f9c5d065216a547b21813
SHA1

138b457f3332a6a271f3dc5d3cfac9fd3d913393
SHA256

1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297
SHA512

53da42f370bf5dd644f35c20dd55f84d357c9a1adf045adabb76be82d38c2bd8f922b66984328e106cb60201379da2f063987564c48915d3b676e143f2576bb5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2156	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d07-12.dat	dcrat
behavioral1/memory/2108-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/756-45-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/2028-204-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2632-264-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1884-325-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
1880	powershell.exe
1196	powershell.exe
1140	powershell.exe
1188	powershell.exe
884	powershell.exe
444	powershell.exe
1144	powershell.exe
1704	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2108	DllCommonsvc.exe
756	OSPPSVC.exe
1960	OSPPSVC.exe
2028	OSPPSVC.exe
2632	OSPPSVC.exe
1884	OSPPSVC.exe
1960	OSPPSVC.exe
2516	OSPPSVC.exe
472	OSPPSVC.exe
2964	OSPPSVC.exe
2796	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\System.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe
2264	schtasks.exe
2060	schtasks.exe
776	schtasks.exe
2912	schtasks.exe
996	schtasks.exe
2196	schtasks.exe
2784	schtasks.exe
1700	schtasks.exe
2252	schtasks.exe
2052	schtasks.exe
3000	schtasks.exe
2940	schtasks.exe
2720	schtasks.exe
1612	schtasks.exe
2900	schtasks.exe
344	schtasks.exe
2396	schtasks.exe
2904	schtasks.exe
2776	schtasks.exe
1444	schtasks.exe
544	schtasks.exe
1012	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2108	DllCommonsvc.exe
2108	DllCommonsvc.exe
2108	DllCommonsvc.exe
1736	powershell.exe
1144	powershell.exe
1188	powershell.exe
884	powershell.exe
1140	powershell.exe
1704	powershell.exe
1196	powershell.exe
444	powershell.exe
1880	powershell.exe
756	OSPPSVC.exe
1960	OSPPSVC.exe
2028	OSPPSVC.exe
2632	OSPPSVC.exe
1884	OSPPSVC.exe
1960	OSPPSVC.exe
2516	OSPPSVC.exe
472	OSPPSVC.exe
2964	OSPPSVC.exe
2796	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	DllCommonsvc.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	756	OSPPSVC.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1960	OSPPSVC.exe
Token: SeDebugPrivilege	2028	OSPPSVC.exe
Token: SeDebugPrivilege	2632	OSPPSVC.exe
Token: SeDebugPrivilege	1884	OSPPSVC.exe
Token: SeDebugPrivilege	1960	OSPPSVC.exe
Token: SeDebugPrivilege	2516	OSPPSVC.exe
Token: SeDebugPrivilege	472	OSPPSVC.exe
Token: SeDebugPrivilege	2964	OSPPSVC.exe
Token: SeDebugPrivilege	2796	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	31
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	31
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	31
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	31
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2108 wrote to memory of 1704	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 1704	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 1704	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 884	2108	DllCommonsvc.exe	61
PID 2108 wrote to memory of 884	2108	DllCommonsvc.exe	61
PID 2108 wrote to memory of 884	2108	DllCommonsvc.exe	61
PID 2108 wrote to memory of 1736	2108	DllCommonsvc.exe	62
PID 2108 wrote to memory of 1736	2108	DllCommonsvc.exe	62
PID 2108 wrote to memory of 1736	2108	DllCommonsvc.exe	62
PID 2108 wrote to memory of 1880	2108	DllCommonsvc.exe	63
PID 2108 wrote to memory of 1880	2108	DllCommonsvc.exe	63
PID 2108 wrote to memory of 1880	2108	DllCommonsvc.exe	63
PID 2108 wrote to memory of 1196	2108	DllCommonsvc.exe	64
PID 2108 wrote to memory of 1196	2108	DllCommonsvc.exe	64
PID 2108 wrote to memory of 1196	2108	DllCommonsvc.exe	64
PID 2108 wrote to memory of 444	2108	DllCommonsvc.exe	65
PID 2108 wrote to memory of 444	2108	DllCommonsvc.exe	65
PID 2108 wrote to memory of 444	2108	DllCommonsvc.exe	65
PID 2108 wrote to memory of 1140	2108	DllCommonsvc.exe	66
PID 2108 wrote to memory of 1140	2108	DllCommonsvc.exe	66
PID 2108 wrote to memory of 1140	2108	DllCommonsvc.exe	66
PID 2108 wrote to memory of 1188	2108	DllCommonsvc.exe	67
PID 2108 wrote to memory of 1188	2108	DllCommonsvc.exe	67
PID 2108 wrote to memory of 1188	2108	DllCommonsvc.exe	67
PID 2108 wrote to memory of 1144	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1144	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1144	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 756	2108	DllCommonsvc.exe	78
PID 2108 wrote to memory of 756	2108	DllCommonsvc.exe	78
PID 2108 wrote to memory of 756	2108	DllCommonsvc.exe	78
PID 756 wrote to memory of 2204	756	OSPPSVC.exe	79
PID 756 wrote to memory of 2204	756	OSPPSVC.exe	79
PID 756 wrote to memory of 2204	756	OSPPSVC.exe	79
PID 2204 wrote to memory of 344	2204	cmd.exe	81
PID 2204 wrote to memory of 344	2204	cmd.exe	81
PID 2204 wrote to memory of 344	2204	cmd.exe	81
PID 2204 wrote to memory of 1960	2204	cmd.exe	82
PID 2204 wrote to memory of 1960	2204	cmd.exe	82
PID 2204 wrote to memory of 1960	2204	cmd.exe	82
PID 1960 wrote to memory of 1480	1960	OSPPSVC.exe	83
PID 1960 wrote to memory of 1480	1960	OSPPSVC.exe	83
PID 1960 wrote to memory of 1480	1960	OSPPSVC.exe	83
PID 1480 wrote to memory of 2944	1480	cmd.exe	85
PID 1480 wrote to memory of 2944	1480	cmd.exe	85
PID 1480 wrote to memory of 2944	1480	cmd.exe	85
PID 1480 wrote to memory of 2028	1480	cmd.exe	86
PID 1480 wrote to memory of 2028	1480	cmd.exe	86
PID 1480 wrote to memory of 2028	1480	cmd.exe	86
PID 2028 wrote to memory of 2372	2028	OSPPSVC.exe	87
PID 2028 wrote to memory of 2372	2028	OSPPSVC.exe	87
PID 2028 wrote to memory of 2372	2028	OSPPSVC.exe	87
PID 2372 wrote to memory of 2272	2372	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:344
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2944
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2272
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
        12⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1920
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        14⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:996
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        16⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2372
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        18⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:840
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        20⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2700
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        22⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2528
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac343b7e0dd3bb8e092590b592a4909d

SHA1
3b1c97f2c20ba0c76659179a08d49db1b447536f

SHA256
bf4af66b3690fdbde32f78d8fec4d1ab92f8cbfb435f1a8920ab66353c0beaaa

SHA512
613c38cb0849d4fb277e293018f41b7895f79c326521829fb924ea93b30aa127163de1e69c159c66a4810ff50554c61e1b6b55ac606102b7843231e21bbd074f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ecad12ea23fa23c51b8c01f8cbe1124

SHA1
950c0c5cd24f55658b048dd342cd4f4572683de5

SHA256
6515d2ce2b3c938f8ae5006a6c2ad5acca4e538e55c89fd8ba0762f03593acab

SHA512
199eac11d16627bc23a14df3ab0db601d2ce92590af56e241315b79b5a5cd9a338a9ef8b5e2b542681e7be5f7e1bab8737a7e384c7f7729db15f5c23b3efcd14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca3a1050c4912fda5f162c0fb4198b35

SHA1
7331839c84e7e9f6eb57559b36599ac6ffa12df1

SHA256
ee3b476b1b78c48b0e3b91489eec54cf756d076567bac28c3f0d73030ecd18bd

SHA512
4049b98ba5c09e70e6e2c5cd7943f87bdd6cc7502955b58be169add3011929c2decd989b0ba85b78cde8102759de68ddacf4534d33d9697c77aec2c1163cf7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a83570978866c542f2f37c6e92cf9351

SHA1
3bfea654605b9f076d614786fe544ffeb74a77e0

SHA256
cb55d2404925e42fb0d97673955dd7f11363898943dc66ab81ccef8f4862b13a

SHA512
139488e9c3c3d0bb6772063cdd2a9d4fe849feaa7d0ea499c5cd52dea521faf436dbcee33c9af7f212d01a1c531962968a9ee0b92a509a11205271d6480c0b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a7534381f2b16cc86800e2999e488a6

SHA1
2ae87b3a27d4a887a2b3cfbfdc22d5a6f44f6168

SHA256
4be7e6a946393b8373c217fa9bd3c77611715d2f213233ba590106ba5b295235

SHA512
e92ff0d3da25835267e7aa4f525053427dab4334e7839f429b5398aaa607de485882372635a210008029f1daf2b3cffe5ab982e1b801b764de4d054bac83697c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fb5512638e35159f2698e5ac705ada6

SHA1
cc166a64e50dafbb3e2cccbda5428475a6fec4ac

SHA256
b5c34facd93c84e3aa6ebddcb6a116dcbcf11c4e75dd35eb33e38f8f2b158952

SHA512
35dfc03f83fbbc0e527b451fbc2abdd5f759be93325cbbc0151e2a8134661e6b24ce53aa852c7661dd45a68005d221f17942a6f285e27895f759c6c5a9b530de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b28d811f70deb6484c01133e5df66028

SHA1
9e6ac99e35b027f72f3f75ff1ced66d698b59ab2

SHA256
3bb6cfb74962e60f6939f9b3eeb7897cfb0752c009bd40178eda34ece2fe8fc8

SHA512
b7634bebfd1dadee751bdb6e6f395b4d2a7ac4e5e57068a54760638f02aadd8439c4171af3fb1c4cb9511c1958006da7724853c6da4d81df36841d226d282814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fa69fdb7d0a16edf478a9359f9208cc

SHA1
b048830fb20eb88ae4a1a5709c3889bb476167c1

SHA256
dd3a4134356b3032d6c1033446d80f861e1f8eb491fe781d7da822876056c946

SHA512
fa7956d3818868065aa75b523c0e0727de16cb8836aa6e70eb6345fc6ebe0d7ec31b69c6a0786d1758ad2cc9a6e6bf4160d5f4a89ed035e598289cbc58d6bebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

Filesize
194B

MD5
cd9bb6441c09e193e0db09faa1288ef7

SHA1
14f66b41b0079088447b6ef3900febb4632eb70a

SHA256
669dad086d9e356fa613dac43b45549eaa1093e3653f7189d137aef34e0b979a

SHA512
397be66b66ef9b6cec33b862bb73cd2acf45971f703fc656bbd2591749a34555ed66d1cb3ae7450e22855892342e4d2ae6fd5282ea3c2106fa20e8b53e0e20ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
194B

MD5
497748c21e3829b02bc2b1d64cc747b0

SHA1
3c922aa398cb9dbb8d691057d592e638123f6fd5

SHA256
c58d7b02cdca74ff47062d96a34152e4e7304a45298a2e1d03c3b23c4b9648f5

SHA512
8b212104fc00297a5edf71284fa611c6043ecb663e28ca2132a2e4cfc2a9a342234cebd9353580e9faac56e353a7aaa96fb8ab3e392add973105e20a52803fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
194B

MD5
7eccc7d1dd7cb754f5ac724216351627

SHA1
a3a44b6e87bd4099dc0f8fdf5ba36aa7ee459377

SHA256
759f48a2c7e6fb3e34d13df6f3ae5eb7f178695cd932c634c279b3f6a5c4247f

SHA512
b06c756d8417a3ae8c15438b3d93106d1179623cd2027f11ad4ce0b287fe26f0dfd76783f3b371cac12941fdee3d643dbcf894a289fdc71c290665293d212bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B5F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

Filesize
194B

MD5
25d1898c5ffd641a5b3a5cf0a5ecca56

SHA1
434e4018b51211fde5a21b1f04e4e2fe075db5b2

SHA256
70cb162b3842971485340505f7728e565a5078bf41e69474c415884b0bb13c77

SHA512
c14af581859f5b7737ef405be0125a34e24f1d567fe5c5b3d7d9e845c5e7de006baed4664aa8f6b70a711b583d8f3bc7b328a04bfb851c9347b7418e80e9c92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
194B

MD5
692f152a16925b1479ae51badb29c16d

SHA1
78f890f07fbfb1c7ad305f3cbc6438e648e66e31

SHA256
ab10848317b5dee3be57544849dcab8a8534cd957eccdaae7823470b17a8019e

SHA512
4d72b21f19a87797cc28f61de606efad3c1ab02271f6786b9c73f2bb2c2c446fdb024e058ae0fbec0bafc95a83bb5027beaba42fbc07724de273a19ce3a88916

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
194B

MD5
78b200816b26779cc621726dc46f97b1

SHA1
8d08f17fa15819972bf8d8d9b86c1a80c734feb1

SHA256
4e3d4e039a106b3fcd036fcf821b59c458fc7590cd306d3a7e93d2f54127a190

SHA512
b252fc10ef00b8b7ce826bae1cee8412b0e2268cba0c30d6f094ecff1a8d0e74fe68eeede3ca17ac53becc987183cfd821496ead898149f9fe1d3ef258ca756a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
194B

MD5
884d4d51a874fae26514e9dd5ff8e74a

SHA1
cd5d1707df4bbe7b0892a1357905b1c103de8e6e

SHA256
660c78caaa7968612e997b01fb2a610c647695371203aa42e234e5955a051506

SHA512
2ee25549af50758808af651f1c37287b7ad6498bfbf1e42ab14df0ddef9f4d912ee4d414df2dad9db5f67fb06179d92366d6625c6a332b31b0305b6c1b10c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
194B

MD5
7baebaa70e079f59b2853eeb571a7a20

SHA1
240595aae92730f42fb69e7754e435604b159ed6

SHA256
9df40c73af894d77c6d25e89c41a1b2feee0ad182dfec57b84b5e4690a4936e7

SHA512
b9a818aa02c6a55242a1912d9c8eb83aeb16f0c5817ffdb82d0f68b87d9b5eac4fd046db6e8d482a7ba4094a8359a48ea6640a3fb31f7a8d9d5e393420bef17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
194B

MD5
529f3bbbdf86d5d73330068a35d44578

SHA1
256feea0a7236af090258fe9a8d67d226f429fc5

SHA256
c874f8f96e74d278125a9a689448f7711ccbbadcb18c8df130d0352a86e2da45

SHA512
4132e17c7b529ec3373a0985b11945068c59f3affe5fe50c5d3376fc116de85d941535ebafa10ef66d6ac2dfa1d8b20cf7701f6ebbc306d020505e8582dbda6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
089ad06991e1d9d8a2e3caeb44143a41

SHA1
9e0ff78969095c28c8cbb8d640b7760b80084893

SHA256
0d08211954ad0ec7062df8e6ae7bac94497e16c334ff7681e45c9bc88973ec8e

SHA512
e46f51699974f62d1e54434dcc4afcb833fe6d56a01aec4e7a665bbe7a2cc69a92c742c69fe436c741252874242f2d8027af4b6de54db0f7dd1ac8448613727b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/756-45-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/1736-51-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1736-52-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

Filesize
32KB

Download
memory/1884-325-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/1960-385-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2028-204-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2108-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2108-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2108-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2108-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2108-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2632-265-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2632-264-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2796-622-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download