dcrat | 54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe
Size

1.3MB
MD5

e3eb674a30700f9091371402640f7af2
SHA1

b01b9af335df6a22dd035fa444052ef6deb585a9
SHA256

54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15
SHA512

0cb66c7749169f95a94ae44291f2b854e9ea29664f878c2e2d04de74fc7e98a6d44cfe688816b7b3a6f30bd8a363f8096893d4f05db9e42243334441a01bd243
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2760	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018c44-12.dat	dcrat
behavioral1/memory/1744-13-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2296-87-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1424-147-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2140-207-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/556-267-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2408-327-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/836-447-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1508-507-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/336-567-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe
2876	powershell.exe
2868	powershell.exe
448	powershell.exe
2912	powershell.exe
1180	powershell.exe
2128	powershell.exe
668	powershell.exe
1660	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1744	DllCommonsvc.exe
2296	dllhost.exe
1424	dllhost.exe
2140	dllhost.exe
556	dllhost.exe
2408	dllhost.exe
2168	dllhost.exe
836	dllhost.exe
1508	dllhost.exe
336	dllhost.exe
2124	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	cmd.exe
2072	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2444	schtasks.exe
680	schtasks.exe
1368	schtasks.exe
2120	schtasks.exe
2576	schtasks.exe
2796	schtasks.exe
1648	schtasks.exe
2272	schtasks.exe
2616	schtasks.exe
2296	schtasks.exe
1588	schtasks.exe
1256	schtasks.exe
892	schtasks.exe
2776	schtasks.exe
2200	schtasks.exe
2712	schtasks.exe
2624	schtasks.exe
2592	schtasks.exe
1904	schtasks.exe
1040	schtasks.exe
2440	schtasks.exe
780	schtasks.exe
2884	schtasks.exe
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1744	DllCommonsvc.exe
2912	powershell.exe
1180	powershell.exe
2876	powershell.exe
2128	powershell.exe
668	powershell.exe
2868	powershell.exe
1660	powershell.exe
1536	powershell.exe
448	powershell.exe
2296	dllhost.exe
1424	dllhost.exe
2140	dllhost.exe
556	dllhost.exe
2408	dllhost.exe
2168	dllhost.exe
836	dllhost.exe
1508	dllhost.exe
336	dllhost.exe
2124	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	DllCommonsvc.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2296	dllhost.exe
Token: SeDebugPrivilege	1424	dllhost.exe
Token: SeDebugPrivilege	2140	dllhost.exe
Token: SeDebugPrivilege	556	dllhost.exe
Token: SeDebugPrivilege	2408	dllhost.exe
Token: SeDebugPrivilege	2168	dllhost.exe
Token: SeDebugPrivilege	836	dllhost.exe
Token: SeDebugPrivilege	1508	dllhost.exe
Token: SeDebugPrivilege	336	dllhost.exe
Token: SeDebugPrivilege	2124	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2284	584	JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe	31
PID 584 wrote to memory of 2284	584	JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe	31
PID 584 wrote to memory of 2284	584	JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe	31
PID 584 wrote to memory of 2284	584	JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe	31
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 1744 wrote to memory of 2876	1744	DllCommonsvc.exe	60
PID 1744 wrote to memory of 2876	1744	DllCommonsvc.exe	60
PID 1744 wrote to memory of 2876	1744	DllCommonsvc.exe	60
PID 1744 wrote to memory of 2868	1744	DllCommonsvc.exe	61
PID 1744 wrote to memory of 2868	1744	DllCommonsvc.exe	61
PID 1744 wrote to memory of 2868	1744	DllCommonsvc.exe	61
PID 1744 wrote to memory of 2128	1744	DllCommonsvc.exe	63
PID 1744 wrote to memory of 2128	1744	DllCommonsvc.exe	63
PID 1744 wrote to memory of 2128	1744	DllCommonsvc.exe	63
PID 1744 wrote to memory of 1536	1744	DllCommonsvc.exe	64
PID 1744 wrote to memory of 1536	1744	DllCommonsvc.exe	64
PID 1744 wrote to memory of 1536	1744	DllCommonsvc.exe	64
PID 1744 wrote to memory of 1660	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 1660	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 1660	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 448	1744	DllCommonsvc.exe	68
PID 1744 wrote to memory of 448	1744	DllCommonsvc.exe	68
PID 1744 wrote to memory of 448	1744	DllCommonsvc.exe	68
PID 1744 wrote to memory of 1180	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 1180	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 1180	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 668	1744	DllCommonsvc.exe	70
PID 1744 wrote to memory of 668	1744	DllCommonsvc.exe	70
PID 1744 wrote to memory of 668	1744	DllCommonsvc.exe	70
PID 1744 wrote to memory of 2912	1744	DllCommonsvc.exe	71
PID 1744 wrote to memory of 2912	1744	DllCommonsvc.exe	71
PID 1744 wrote to memory of 2912	1744	DllCommonsvc.exe	71
PID 1744 wrote to memory of 1616	1744	DllCommonsvc.exe	78
PID 1744 wrote to memory of 1616	1744	DllCommonsvc.exe	78
PID 1744 wrote to memory of 1616	1744	DllCommonsvc.exe	78
PID 1616 wrote to memory of 2108	1616	cmd.exe	80
PID 1616 wrote to memory of 2108	1616	cmd.exe	80
PID 1616 wrote to memory of 2108	1616	cmd.exe	80
PID 1616 wrote to memory of 2296	1616	cmd.exe	82
PID 1616 wrote to memory of 2296	1616	cmd.exe	82
PID 1616 wrote to memory of 2296	1616	cmd.exe	82
PID 2296 wrote to memory of 1716	2296	dllhost.exe	83
PID 2296 wrote to memory of 1716	2296	dllhost.exe	83
PID 2296 wrote to memory of 1716	2296	dllhost.exe	83
PID 1716 wrote to memory of 2384	1716	cmd.exe	85
PID 1716 wrote to memory of 2384	1716	cmd.exe	85
PID 1716 wrote to memory of 2384	1716	cmd.exe	85
PID 1716 wrote to memory of 1424	1716	cmd.exe	86
PID 1716 wrote to memory of 1424	1716	cmd.exe	86
PID 1716 wrote to memory of 1424	1716	cmd.exe	86
PID 1424 wrote to memory of 1632	1424	dllhost.exe	87
PID 1424 wrote to memory of 1632	1424	dllhost.exe	87
PID 1424 wrote to memory of 1632	1424	dllhost.exe	87
PID 1632 wrote to memory of 2936	1632	cmd.exe	89
PID 1632 wrote to memory of 2936	1632	cmd.exe	89
PID 1632 wrote to memory of 2936	1632	cmd.exe	89
PID 1632 wrote to memory of 2140	1632	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54bcfc7d592203727352c1ba44593ffbbfd08992e160c720ffca8c77837d3d15.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GVuBPKZcYk.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2108
      - C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2384
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2936
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        11⤵
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3012
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        13⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1592
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
        15⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:696
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        17⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2096
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        19⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2108
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
        21⤵
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1988
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        23⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:448
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dde88be98846785b202268e6eef7a1ca

SHA1
85f7d3ee387388375895b2067ee4eb42c2c3a255

SHA256
1bb2586e3c4bcd91d44d8d0e8c2393eeef7e423768814c552a0608da906ba3c7

SHA512
0b6eafe6e740d07af53c411fb6bb415ef5242d478e4acec3ecdf282c3e99969380b2bfe705c5299cbc7cfc3323c464d61fa11dbc5604868eb648b75326867b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90dc4068d50d3ea9124972697d28aadc

SHA1
5654e789a828a8f97551c63db43e251208968322

SHA256
ddd1cae5a23d4c5f88779881ea2b9b614066587b8115df216d501dcbc47d6bd3

SHA512
5e1cf74801f55ce24e985c3ada4991f9ec4cbe0574744f0c20f8a78c89f075e9d290b2d4564cd514da447e8d0906aabcb6866e4aeea83ea78f39ce079373c95a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8cb914df4de3a0d5cfee7473833021a

SHA1
1cdc0096cf904b14aed6346bff7e65659f94c7f7

SHA256
65ab73b230bf7f7370479d94fa41268a56ede7b7c2fc9fe5f536c427b263690d

SHA512
641ae0769732e77b7c4fc47178a8b7ec18d401cd9515ec2bdc525877e1dc05570b5472652de119442b7643cc8d4157a1dc2680333f425910410cef87365e40fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ce9a6429c8406ca40989a12315f784

SHA1
48c493bab9e0a575829ee9c71da4218fd384d182

SHA256
26c49a997fdbd02eefabd935d0db999c1546fc8580b5e059f1404717edfbce98

SHA512
9927416a1ed3319b222730449cb8d64988e46995ea22948d5ca1499cfa02dcd38d0361535fcf106867aba54531cae147f6a71f85b812536fc90a3fe9dd9dbf3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed64e2e1bdd0d0f7b5b0fd7b9b51b937

SHA1
c738b95f4d10f074a251e4d40f1252723934c21f

SHA256
0c900e3896a50fc8f69f8baaf304f0d56aa5162f8414ff9f5319ee4ddbc4ad5f

SHA512
635538f66b2ba7b9216e97ebd176d2a821565a4bc359b5f07ec7f6ef33031c1eb12f667c3ee25508c080533dca5158d8648b50f47d5c35f11d5eeba071730552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4183c5200d0658e70b2ec83997645587

SHA1
bac17e582693115a46f33cb08a2fd4a7bacb9c3f

SHA256
31f9b31c214503d25d9eb51b88bb1847156ccd6ed8065b0e7e99aed84eab329c

SHA512
f1ef7234d37240334bbea902b81220aa35a9993092ff34d6b15a7a1b219c847eda6fa4bf14e53394a78d71f2ade00526433d126ef11c1659c2f28965499fcf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ceb93012e151f3d2acb2eb9a75cadc0

SHA1
dedbadc36da3992a32e1897457552875985a2ec9

SHA256
3a0545a6ece53ba98591ad78516d61c1ee5e9f249e299fd300087a72f990f0c5

SHA512
1ac01c379d2a56b6ce8170ad5fb0bb8bc86b80fa52b9f26a4eda3b36ca27f5e1f5813d97c74ec070d47278c446eaf0ebef9db369489c93c15cb93763fc5f364f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
436cc13756fc5bfa3893f013c94eee63

SHA1
c30c8840ecbff4cb72f7dbab770ad7162ebc79b5

SHA256
66e80abe7d8d9c3edbfdd49f365904ee40744c12d6962850bfbb42bfa2ff0a27

SHA512
bbf8487016463eb816e5109b9c8189d315e2891ec21967f707f6426cc2eae626f8807e95c9baa64230c3abf051d7735d408770787705e4319668a10492bbbe9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
205B

MD5
6376a06c9d2868c5339471f60d1d04ce

SHA1
3b6017a1db5e131df810af3fbefe8c43812314e7

SHA256
b4257a3abfdb3e1965420ff99954136919bcae8d01caabd22f1010db31a6adc1

SHA512
7b2c799cf0574eb79b6bb1a6ab2e05160ffef73d893e32e7f12225f04bfdbf213b6563ee9258440a5475df387721d977613a897e53be14f274fbe5d5b806bab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
205B

MD5
56820cd5975272cc660834becadd73d0

SHA1
4df342e971ea76bb1a6bfb5842acb3c740d35139

SHA256
df496f4b912699a8fc5d34f748d77ab1791ff244e59d7fdab7db93cd57ded697

SHA512
068ee2bac9ce460b002cca5b52a8030bdf892fd57d6fb5db2e273a3b6376b728370c309502646b71d5d6930d76f63bc338ac565d20ebb0ae9b9cf5770c41dc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
205B

MD5
2ac0b3d6464aeb8f5f44efc89b4e015d

SHA1
d93310af552c29d2da9d686901b126dbdb79b956

SHA256
e1b0f43df798e56ca6b44035f9d84dab2bc88ef60d3ffa3b365edc4ec62906cc

SHA512
af3532a66481d05353aa435527036280a825671313a89310ea00d4b689d695ec26b5f5f09820d7a85efc7ef4393a8a1c9dcf6aaf9f70e5daa430dd54046e0cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2232.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

Filesize
205B

MD5
941fb92b4d58caff8bbaedca99e1a74a

SHA1
ff62d2e78c55dd999d659292bd743553814afd6d

SHA256
faa14784d063d02cbaee4d91884008c404264b4fd427009f966dc7bdf8d733db

SHA512
03237ff330e52ed50f921a7517a8357a15f519584bb0dd98dbf8ed15cb5ee8953f1af1e3c83d5184154887109dc2e3276815793a49a868f84a371d1df7face91

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVuBPKZcYk.bat

Filesize
205B

MD5
62baeaa1988a65ae6f2facc8f562ed88

SHA1
8db8c40dedb9e3a4ee08c3648d12b00ba7aa7420

SHA256
f687a60e76e12096e6b760ec3601a4ebac132b47a6e239b53ba221eee8060200

SHA512
471067afa51e8f5caa7d67e505b0160cbd4b6282b2f50d4a21f567472fd9586747049c44626bbc8638fba51fbac15274393f3c17cefaf63a3d2d5feee33138c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
205B

MD5
b35630d2ed0a0dbf7e4f6e672f1fb127

SHA1
f977968fc49d3b5133d0e2e8a6bb0bb8c05e7c45

SHA256
b0719f679e47670a601a8a8ec012410670b131db47a05cd637b3d1d2aca390e8

SHA512
007559f3407b92f7ece2f0e4192fe41d69c5a35fab1c6dd71870c0fe7d5ff34bbed5f657ab54f5323eea8287f6e6af207cde0ea2f3380776b927e9f3d8bda796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2255.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
205B

MD5
df880a1a0293f49d9cb9dae5c14f9cc8

SHA1
bf08b905c7bbe96ea2bb6ceb9e3ad4fbc5b36515

SHA256
6989d5a8fa630adb5a044705d62ab14f8cb6f2a988245841d6930e8fa85fdfdd

SHA512
08fb3c836718e18670e0a7a61d9e57a08ae2816263b3645f30a195ecf90870e4048b56ebdba470e5e75e11ca459c06302e055b9b4e59aad2a4ae26e5dcfd6759

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
205B

MD5
ce26ecf8c652e45e18a8295f583d8a43

SHA1
ffed2b81430bf5a40bf00289c7742ffd2f6c0a99

SHA256
fb0aa61d06460816f8f534ac9a982011cb8f293e5f0062757bab50387ec78a6d

SHA512
4798fec70494b08154e32ff7d5195ac8fb0bec4bb0a4f239b52ca1cfe304256af7464fcd01e2c5cd0d3fa882453ffd266a5b3a4897300326bf0e4c3eada37ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
205B

MD5
161ed40a5ca10867559789a558927eee

SHA1
fec1defe9709561498c77b227c516cd5f052b621

SHA256
558cda61221e38a387069bc5e0ad8d5bee03c50b93881ee981182208ca328629

SHA512
0a2a160e910e1c90d0c3fe45c4b460a02f36441fd46aa1682d5d6610ded35fb61dcccd4131b3771245ef7b5f25d0d151c83e419618b658f173c3ab46c15fa8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
205B

MD5
28fa550c6d7d551e62ef069c096a35fe

SHA1
ed8355087272042f7050af8b09310736d2ed4f75

SHA256
a72b805f480ab5612c6347c573cfa7da2133df32530f16a3f4c5bd8f66b35d87

SHA512
a88bee7485d3054282d812f335c6fdfbf1133a8cb19a1a5fa8d6027945dc8bcaa15c5072ed0ea9810759383d75b5d5d88b0e0604a3626a025cef0d58800186cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d130c46f40cd28c6cad29f554d2c06

SHA1
b6467931fde5810b3f2f7fddaabd315614bfbe44

SHA256
443c81562bd9d7e1c2c3f49237a5dca9785e65e44fe4bfb35d67cd95d9f0d6bd

SHA512
54c18d5a2aacf8cf722e231471019f929e248288206a067d13575f33bf7083599e58fbb6a7142e1a74a1852991c483c49a082d03c4be25aceb9e5b13cf87c64f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/336-567-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/556-267-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/836-447-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1424-147-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/1508-507-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/1744-13-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/1744-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1744-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1744-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1744-14-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2140-207-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2296-88-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2296-87-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2408-328-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2408-327-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2876-54-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2912-63-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download