dcrat | 89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe
Size

1.3MB
MD5

3a682b5d30d5a70e5dc814d7d46e50cb
SHA1

8e227c99cd2052ded953f24274da314548dfb573
SHA256

89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b
SHA512

9e86da0b8c4d14b01fc2cf4e9ed513398702d5e242ca28a514cc7fee4fd1c651c326b12c699f89c7b986affdf346a5f94190d61d0801a9245f133dc4d49d49ca
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2724	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019230-12.dat	dcrat
behavioral1/memory/1208-13-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2864-87-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/3004-264-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/1444-383-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2080-443-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2144-504-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/2720-623-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
1888	powershell.exe
2088	powershell.exe
2704	powershell.exe
2920	powershell.exe
2496	powershell.exe
2488	powershell.exe
1700	powershell.exe
1976	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1208	DllCommonsvc.exe
2864	conhost.exe
1480	conhost.exe
1100	conhost.exe
3004	conhost.exe
2428	conhost.exe
1444	conhost.exe
2080	conhost.exe
2144	conhost.exe
1724	conhost.exe
2720	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	cmd.exe
2700	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
29	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\HomeGroup\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\HomeGroup\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
684	schtasks.exe
1324	schtasks.exe
1528	schtasks.exe
1172	schtasks.exe
2648	schtasks.exe
2856	schtasks.exe
2608	schtasks.exe
2060	schtasks.exe
644	schtasks.exe
1480	schtasks.exe
1608	schtasks.exe
1840	schtasks.exe
2632	schtasks.exe
2776	schtasks.exe
2628	schtasks.exe
3028	schtasks.exe
2392	schtasks.exe
1296	schtasks.exe
1360	schtasks.exe
2476	schtasks.exe
2456	schtasks.exe
1652	schtasks.exe
1228	schtasks.exe
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1208	DllCommonsvc.exe
2496	powershell.exe
2704	powershell.exe
2920	powershell.exe
1700	powershell.exe
2372	powershell.exe
2488	powershell.exe
2088	powershell.exe
1888	powershell.exe
1976	powershell.exe
2864	conhost.exe
1480	conhost.exe
1100	conhost.exe
3004	conhost.exe
2428	conhost.exe
1444	conhost.exe
2080	conhost.exe
2144	conhost.exe
1724	conhost.exe
2720	conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	DllCommonsvc.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2864	conhost.exe
Token: SeDebugPrivilege	1480	conhost.exe
Token: SeDebugPrivilege	1100	conhost.exe
Token: SeDebugPrivilege	3004	conhost.exe
Token: SeDebugPrivilege	2428	conhost.exe
Token: SeDebugPrivilege	1444	conhost.exe
Token: SeDebugPrivilege	2080	conhost.exe
Token: SeDebugPrivilege	2144	conhost.exe
Token: SeDebugPrivilege	1724	conhost.exe
Token: SeDebugPrivilege	2720	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2200	2264	JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe	30
PID 2264 wrote to memory of 2200	2264	JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe	30
PID 2264 wrote to memory of 2200	2264	JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe	30
PID 2264 wrote to memory of 2200	2264	JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe	30
PID 2200 wrote to memory of 2700	2200	WScript.exe	31
PID 2200 wrote to memory of 2700	2200	WScript.exe	31
PID 2200 wrote to memory of 2700	2200	WScript.exe	31
PID 2200 wrote to memory of 2700	2200	WScript.exe	31
PID 2700 wrote to memory of 1208	2700	cmd.exe	33
PID 2700 wrote to memory of 1208	2700	cmd.exe	33
PID 2700 wrote to memory of 1208	2700	cmd.exe	33
PID 2700 wrote to memory of 1208	2700	cmd.exe	33
PID 1208 wrote to memory of 1888	1208	DllCommonsvc.exe	59
PID 1208 wrote to memory of 1888	1208	DllCommonsvc.exe	59
PID 1208 wrote to memory of 1888	1208	DllCommonsvc.exe	59
PID 1208 wrote to memory of 2088	1208	DllCommonsvc.exe	60
PID 1208 wrote to memory of 2088	1208	DllCommonsvc.exe	60
PID 1208 wrote to memory of 2088	1208	DllCommonsvc.exe	60
PID 1208 wrote to memory of 2496	1208	DllCommonsvc.exe	61
PID 1208 wrote to memory of 2496	1208	DllCommonsvc.exe	61
PID 1208 wrote to memory of 2496	1208	DllCommonsvc.exe	61
PID 1208 wrote to memory of 2488	1208	DllCommonsvc.exe	62
PID 1208 wrote to memory of 2488	1208	DllCommonsvc.exe	62
PID 1208 wrote to memory of 2488	1208	DllCommonsvc.exe	62
PID 1208 wrote to memory of 2704	1208	DllCommonsvc.exe	63
PID 1208 wrote to memory of 2704	1208	DllCommonsvc.exe	63
PID 1208 wrote to memory of 2704	1208	DllCommonsvc.exe	63
PID 1208 wrote to memory of 1700	1208	DllCommonsvc.exe	64
PID 1208 wrote to memory of 1700	1208	DllCommonsvc.exe	64
PID 1208 wrote to memory of 1700	1208	DllCommonsvc.exe	64
PID 1208 wrote to memory of 2920	1208	DllCommonsvc.exe	65
PID 1208 wrote to memory of 2920	1208	DllCommonsvc.exe	65
PID 1208 wrote to memory of 2920	1208	DllCommonsvc.exe	65
PID 1208 wrote to memory of 1976	1208	DllCommonsvc.exe	66
PID 1208 wrote to memory of 1976	1208	DllCommonsvc.exe	66
PID 1208 wrote to memory of 1976	1208	DllCommonsvc.exe	66
PID 1208 wrote to memory of 2372	1208	DllCommonsvc.exe	67
PID 1208 wrote to memory of 2372	1208	DllCommonsvc.exe	67
PID 1208 wrote to memory of 2372	1208	DllCommonsvc.exe	67
PID 1208 wrote to memory of 1064	1208	DllCommonsvc.exe	73
PID 1208 wrote to memory of 1064	1208	DllCommonsvc.exe	73
PID 1208 wrote to memory of 1064	1208	DllCommonsvc.exe	73
PID 1064 wrote to memory of 3004	1064	cmd.exe	79
PID 1064 wrote to memory of 3004	1064	cmd.exe	79
PID 1064 wrote to memory of 3004	1064	cmd.exe	79
PID 1064 wrote to memory of 2864	1064	cmd.exe	81
PID 1064 wrote to memory of 2864	1064	cmd.exe	81
PID 1064 wrote to memory of 2864	1064	cmd.exe	81
PID 2864 wrote to memory of 2332	2864	conhost.exe	82
PID 2864 wrote to memory of 2332	2864	conhost.exe	82
PID 2864 wrote to memory of 2332	2864	conhost.exe	82
PID 2332 wrote to memory of 652	2332	cmd.exe	84
PID 2332 wrote to memory of 652	2332	cmd.exe	84
PID 2332 wrote to memory of 652	2332	cmd.exe	84
PID 2332 wrote to memory of 1480	2332	cmd.exe	85
PID 2332 wrote to memory of 1480	2332	cmd.exe	85
PID 2332 wrote to memory of 1480	2332	cmd.exe	85
PID 1480 wrote to memory of 844	1480	conhost.exe	86
PID 1480 wrote to memory of 844	1480	conhost.exe	86
PID 1480 wrote to memory of 844	1480	conhost.exe	86
PID 844 wrote to memory of 1772	844	cmd.exe	88
PID 844 wrote to memory of 1772	844	cmd.exe	88
PID 844 wrote to memory of 1772	844	cmd.exe	88
PID 844 wrote to memory of 1100	844	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89170f4255ce0abfbe51de9263284b7040119f80a85fff319cc726d1ee0d1c2b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcjBxfEQhp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3004
      - C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:652
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1772
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        11⤵
        
        PID:1836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2088
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        13⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2640
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        15⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2984
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        17⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1100
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        19⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1344
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        21⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1708
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        23⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:352
        
        C:\Users\All Users\Adobe\conhost.exe
        
        "C:\Users\All Users\Adobe\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Links\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
674c78ea0874125f67744ae53fb0d8b8

SHA1
a642f620d55e359267f04331725fd1abebbfff84

SHA256
1c573a4169033e2dadfb22a8ff1b72808208e6e540d8ca4a5921f92ffe41ec30

SHA512
2b048099a43a0dd7a5abedf1e34b28b9b26aedeb6a8e5d2317283bb8265774caf1a65b501a88a75b1797802de747d215a8934932926ff9efafd0ba4267474a88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee133e65e6ff94e5167f32021e276483

SHA1
8bcb25b83be65defc36daa442b8dd67882077bdf

SHA256
279bed7af602e4a8bb84c27d0ee5a2b6934cf4183fa152f57ad92413cb5b717d

SHA512
747b2dc0047957534a7c14c4e3872a269a2ad81efcdf639b77aa5805c5864260f8158b4a8f8e5b0f6b82b9650c4ae7e0bccf2d2988e3421a783cbd4f0a7c4b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
390da4e339a2d7a50c364ea3b1285c5c

SHA1
d40bde7b48b138352f760579d17627435a9e2b05

SHA256
f9a48cece5cd53495881624bf33dee310329b60fd810f06d14512427a675381b

SHA512
3b869dc31f6cbe04c3aa349817c87850366a40c41179a7176816b3ca18c39dfe8fa880c14069776b5aeab774b409d070140b76bc68ec354c2852ed66fadb97cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c10e45ec2c0aec3a741b9afc5b6887d6

SHA1
0f428e85fe18586df619c1f39cc4b95378abe662

SHA256
59404a9f78d84badf6a30c5a88545ec3a4e26c69d4db791cdc2bc525527264cb

SHA512
0afda7186d1b1afca4d82cd0fed4101eb19be99dbb0a51801bac64f250b0030faff96e6f49efb9697191e19ca04f3c3e01a2c50d541030d65e57624530a8d949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2f60ea0aa320b3c0d3f29af8cf486c5

SHA1
1bbd9fcb312c097a34e7e86e0d4bd22da2d90524

SHA256
b65d887ff6ce38e385b97e1aae7f97931d06955325085d0fd2f4279a40877e73

SHA512
1acadb637ca0310d0f0f4501b7a051841246a97fc1a11fd4ede5b886d402f94decd7c38c1da890fc38c6875f897f02297067f1671052795f1871c2759484edd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e2d39a9aaa5b11b3d20866f5684c40c

SHA1
5ae60398ae3c1bb64ef48f84fead870cd8b55859

SHA256
13487312ad75cb3c2716ec97e090d4a69fb3ca1c8ac329a34794feefcc252c6d

SHA512
6affd364b91bdb16c034c11a8890a0eda78a32195e7f8ee5a447b645ba00c929edc2e6106cf7fb133a9315702ba4effd45fb39a4a555bd1419ad130c7c85ef32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39bab904fa36758f2cbaacd287f13ef9

SHA1
3fdd0be5820db5b6ed9def7d124d2d7f844c968b

SHA256
bb72eb2faaec6a84df87a3138865e1cda77e72a7f45dddde9c576da1bf0c967e

SHA512
3332e0f397a5d104eb57c7b7fd98b5ae3aed2e7cb8735d88e1ba762e7fc3510151aadd44336da08188dac2ad55f576b34f6520f2debc62eacd408aaf1617defe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
909fa546f71dfed7bc7a5108571e48c5

SHA1
6568479cbb0d63d1d6956a002c478e6c41111937

SHA256
a6e96712e0f5ff730a0bfcde833617aff66e9d82adf0a56d3d45689e73c1f994

SHA512
2787448db021504b135f9defc69230773f16c043a64f3ebb8de9ca880edca644f710fb23fe3f733e69ea776b30989f285d392c2436690dd0e83353ceb450f6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab27ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
201B

MD5
7aef9cc7da9dd4018f902c2889f5dc9d

SHA1
1e5b8b9f792be863fca570194c1f867a079e5f9a

SHA256
33286066f2201eaa3f07c7bae4ad107c02d6326323b496eefa6fb36beed967a8

SHA512
e7763d06b34be33fca76fe207429bb848f28f22e046707fea271549db129e2148976e8a507ab486ec68ac1772325d132abee9b9dcba9804c54aca5d3adfb875e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar27FF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
201B

MD5
0a78c2c6557bed6de34319a60dd93578

SHA1
5415bbdc9fec6d5521ba5e0dfde0eff8575d747f

SHA256
8e55aaa53c1cd750c973f0acb0784fd57c7929449e46769520e28158cc0d679c

SHA512
419183cf021debab63b5de33a37d7b03442fa4fbca83c4619a10b25c18a1591d36c5439dcea4b50a44c297eafc9400c142977fe861b18cbc34353cf676ef17de

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
201B

MD5
fb72aedece4fb3e92672d8c661b7b832

SHA1
f76e98d9d0a09875f37dd160e1ef59cc9c9e21eb

SHA256
4627979f896a4fa30f9b6b7d63a7a0979415efd337480322807b92a4dbda0bcf

SHA512
e712c4834a3d65501e49c42936b9d5b13a2cd379f6b77c20c6c5d9ae7eb9ab0692d23106fbc653a23e98f037293693d991081ded921716ccebacec3e6b965e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
201B

MD5
2a8927ad1bd369299b0ef13d247ef09f

SHA1
361efae7feb3c519d96af01a000ae265dec67a6b

SHA256
3a8a736587090878674b4c057aff4dc59d1cd97188d29e1eba71137c480defb2

SHA512
096c55c324aa075c5c7b210a4c2dca6504e04bbc9a86540cf8047228b8ef60a7ab7cf6dcb07d6448c92f28203f831e8b1ee62207c888cfa7d34ed0dde4a2909a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
201B

MD5
cb165dec1f66111c05c9533de97f924c

SHA1
8aeaf8884f2febf856ee57efc88c66987e1ffb14

SHA256
14b87300eefa283584c6dddaf85e30131fc45ef4b47bd468905014b244115823

SHA512
2bcb0c45c25b3c91035e30a925d255ef13ac865c6986bc44b11cda4b8bb0579a0ffda034afbefae39fe2f5a0ede221c659d344284f9eacc8e88b49e7ab723402

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcjBxfEQhp.bat

Filesize
201B

MD5
55b7720014b6b4427197b85ed167eb09

SHA1
90c2c1e01f1647874772c16e2e37acaef1dc13dc

SHA256
155280bf2a49eab4ef566aefa3c206a3adf3317edf1b0549720378494bd61054

SHA512
9a7645dd5217ec45cb08adbca3cb5bb8fbbe9bcb07ac9145c7eb350744b2618992f68bc994da0b8c0e5348a5113a7e637e2eb05b238e80bacab01aa8a9964e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
201B

MD5
91293c5fbe63e96711d8c957b4e77bce

SHA1
fcff4f2956fcf4c2c00e793fe9cffb3ed4aa071d

SHA256
44d45b9748bf856f27b711a2544f9d9f75255e653693bfe66d865cf687f097a4

SHA512
955304374b65a9bb63eef27b00320afd019422f6c739527df8cd228cb55d566ae5522947323559b0f897ea737322f16e6237f511e8ccf5dc842cb80efb6b5d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
201B

MD5
9ff6ff27e23d117a0791b398d11ef957

SHA1
5841ad4988d45b52cd60f545e12c7dd8ab7e68a6

SHA256
f89ab0d330ae48daa324b36721390ca9d582d6a9a50ee15aa7afb1d5486b76e9

SHA512
935f7b0bf1fb9b48e09d9c25e1a1b272205ecb14d71d4d9a38eb391ed5e64a86e36b2709d222c918e040c43360db09fc8ccad002841ac438dcfd5947a22d0a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
201B

MD5
11036dad6cfd6131d962591d4bee6d2b

SHA1
1f3edb24f6992a2127112fc058712f9a0958ca47

SHA256
2a7fe6bec089426866089d019b77dd82a2bd5f9a772fc61e5c0d2de0e62632bf

SHA512
b07c6ec8744ad9cd2efc3f943da34a28b5c76a7727bb8034687105912e7486494d58004d281aa472f2e1cd632170ee9bd599e6e1847f1ee583046368cf4ac742

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
201B

MD5
ab7ad12683d15ed10c2dd357815732f2

SHA1
ae54d45cf404525ec5c77b1d7473ddc1e5dcde3f

SHA256
18030f2afb0d6db3aeb5fee39731a933fcb93da43bedf7c2d647316846bfe6ef

SHA512
26b066d8bc71c19633254af13590c9e6fd2c3ec48df4c84fdc20a9ef4cfda16fe0c24a646746bb6f4b26ed2cd0f94f1dee08cbeec648464556e31e26ec68b240

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc0b6f5ffa788ab712b28d1b8f2f8dc0

SHA1
23f9807d2c0423f1c8ccef2fe3ef7fce7923b7da

SHA256
3d135348d37d0716134c2a83c05cddf584721905c9f2fbc9429ad35aad53d8b4

SHA512
9a9daf7757136af4fdfefcd23a789eeda3d25140f283ed7a8e4aa8b01f27e2b4d398bab1b9536fd02de3f115db1fe1731c1169b7488fc266abfca68cb50f4f4c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1208-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1208-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1208-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1208-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1208-13-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/1444-383-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2080-444-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2080-443-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2144-504-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2496-48-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2496-47-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-623-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2864-87-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/3004-264-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download