dcrat | 4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdc

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe
Size

1.3MB
MD5

3588c45216ac15b394696325eea1f7b0
SHA1

1b7f9c793e3a1a62e4954d18520cbdc97fbe4524
SHA256

4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdc
SHA512

dfe2be818e7d7131eeeeff5a3f55e97af0ee02e5f1bcb19ab94dfe0d230e097fbd47c146259f6fabfc95d23a9728e07a64436ce9e1eff2ad07c671b45e760ff4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2728	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016621-9.dat	dcrat
behavioral1/memory/2816-13-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/1088-56-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1596-115-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2744-175-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2308-235-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2416-295-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2196-355-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/1132-416-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/1640-476-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/2096-536-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2988-596-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe
2500	powershell.exe
2544	powershell.exe
2328	powershell.exe
3068	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2816	DllCommonsvc.exe
1088	spoolsv.exe
1596	spoolsv.exe
2744	spoolsv.exe
2308	spoolsv.exe
2416	spoolsv.exe
2196	spoolsv.exe
1132	spoolsv.exe
1640	spoolsv.exe
2096	spoolsv.exe
2988	spoolsv.exe
916	spoolsv.exe
856	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	cmd.exe
3040	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com
10	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
27	raw.githubusercontent.com
29	raw.githubusercontent.com
8	raw.githubusercontent.com
13	raw.githubusercontent.com
15	raw.githubusercontent.com
20	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\addins\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
2716	schtasks.exe
572	schtasks.exe
264	schtasks.exe
528	schtasks.exe
2376	schtasks.exe
2128	schtasks.exe
1484	schtasks.exe
2180	schtasks.exe
2608	schtasks.exe
2564	schtasks.exe
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2816	DllCommonsvc.exe
3068	powershell.exe
2500	powershell.exe
2328	powershell.exe
2516	powershell.exe
2544	powershell.exe
1088	spoolsv.exe
1596	spoolsv.exe
2744	spoolsv.exe
2308	spoolsv.exe
2416	spoolsv.exe
2196	spoolsv.exe
1132	spoolsv.exe
1640	spoolsv.exe
2096	spoolsv.exe
2988	spoolsv.exe
916	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	DllCommonsvc.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1088	spoolsv.exe
Token: SeDebugPrivilege	1596	spoolsv.exe
Token: SeDebugPrivilege	2744	spoolsv.exe
Token: SeDebugPrivilege	2308	spoolsv.exe
Token: SeDebugPrivilege	2416	spoolsv.exe
Token: SeDebugPrivilege	2196	spoolsv.exe
Token: SeDebugPrivilege	1132	spoolsv.exe
Token: SeDebugPrivilege	1640	spoolsv.exe
Token: SeDebugPrivilege	2096	spoolsv.exe
Token: SeDebugPrivilege	2988	spoolsv.exe
Token: SeDebugPrivilege	916	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2812	2876	4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe	30
PID 2876 wrote to memory of 2812	2876	4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe	30
PID 2876 wrote to memory of 2812	2876	4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe	30
PID 2876 wrote to memory of 2812	2876	4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe	30
PID 2812 wrote to memory of 3040	2812	WScript.exe	31
PID 2812 wrote to memory of 3040	2812	WScript.exe	31
PID 2812 wrote to memory of 3040	2812	WScript.exe	31
PID 2812 wrote to memory of 3040	2812	WScript.exe	31
PID 3040 wrote to memory of 2816	3040	cmd.exe	33
PID 3040 wrote to memory of 2816	3040	cmd.exe	33
PID 3040 wrote to memory of 2816	3040	cmd.exe	33
PID 3040 wrote to memory of 2816	3040	cmd.exe	33
PID 2816 wrote to memory of 3068	2816	DllCommonsvc.exe	47
PID 2816 wrote to memory of 3068	2816	DllCommonsvc.exe	47
PID 2816 wrote to memory of 3068	2816	DllCommonsvc.exe	47
PID 2816 wrote to memory of 2328	2816	DllCommonsvc.exe	48
PID 2816 wrote to memory of 2328	2816	DllCommonsvc.exe	48
PID 2816 wrote to memory of 2328	2816	DllCommonsvc.exe	48
PID 2816 wrote to memory of 2544	2816	DllCommonsvc.exe	49
PID 2816 wrote to memory of 2544	2816	DllCommonsvc.exe	49
PID 2816 wrote to memory of 2544	2816	DllCommonsvc.exe	49
PID 2816 wrote to memory of 2500	2816	DllCommonsvc.exe	50
PID 2816 wrote to memory of 2500	2816	DllCommonsvc.exe	50
PID 2816 wrote to memory of 2500	2816	DllCommonsvc.exe	50
PID 2816 wrote to memory of 2516	2816	DllCommonsvc.exe	51
PID 2816 wrote to memory of 2516	2816	DllCommonsvc.exe	51
PID 2816 wrote to memory of 2516	2816	DllCommonsvc.exe	51
PID 2816 wrote to memory of 2064	2816	DllCommonsvc.exe	57
PID 2816 wrote to memory of 2064	2816	DllCommonsvc.exe	57
PID 2816 wrote to memory of 2064	2816	DllCommonsvc.exe	57
PID 2064 wrote to memory of 748	2064	cmd.exe	59
PID 2064 wrote to memory of 748	2064	cmd.exe	59
PID 2064 wrote to memory of 748	2064	cmd.exe	59
PID 2064 wrote to memory of 1088	2064	cmd.exe	60
PID 2064 wrote to memory of 1088	2064	cmd.exe	60
PID 2064 wrote to memory of 1088	2064	cmd.exe	60
PID 1088 wrote to memory of 1496	1088	spoolsv.exe	61
PID 1088 wrote to memory of 1496	1088	spoolsv.exe	61
PID 1088 wrote to memory of 1496	1088	spoolsv.exe	61
PID 1496 wrote to memory of 1040	1496	cmd.exe	63
PID 1496 wrote to memory of 1040	1496	cmd.exe	63
PID 1496 wrote to memory of 1040	1496	cmd.exe	63
PID 1496 wrote to memory of 1596	1496	cmd.exe	64
PID 1496 wrote to memory of 1596	1496	cmd.exe	64
PID 1496 wrote to memory of 1596	1496	cmd.exe	64
PID 1596 wrote to memory of 2084	1596	spoolsv.exe	66
PID 1596 wrote to memory of 2084	1596	spoolsv.exe	66
PID 1596 wrote to memory of 2084	1596	spoolsv.exe	66
PID 2084 wrote to memory of 2432	2084	cmd.exe	68
PID 2084 wrote to memory of 2432	2084	cmd.exe	68
PID 2084 wrote to memory of 2432	2084	cmd.exe	68
PID 2084 wrote to memory of 2744	2084	cmd.exe	69
PID 2084 wrote to memory of 2744	2084	cmd.exe	69
PID 2084 wrote to memory of 2744	2084	cmd.exe	69
PID 2744 wrote to memory of 2996	2744	spoolsv.exe	70
PID 2744 wrote to memory of 2996	2744	spoolsv.exe	70
PID 2744 wrote to memory of 2996	2744	spoolsv.exe	70
PID 2996 wrote to memory of 2516	2996	cmd.exe	72
PID 2996 wrote to memory of 2516	2996	cmd.exe	72
PID 2996 wrote to memory of 2516	2996	cmd.exe	72
PID 2996 wrote to memory of 2308	2996	cmd.exe	73
PID 2996 wrote to memory of 2308	2996	cmd.exe	73
PID 2996 wrote to memory of 2308	2996	cmd.exe	73
PID 2308 wrote to memory of 2112	2308	spoolsv.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe
"C:\Users\Admin\AppData\Local\Temp\4c6439b0226104b055a4e16c2f2c62cf68173bb3d6c04eeefb8c7055243c8bdcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ZfhZSFjje.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:748
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1040
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2432
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2516
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        13⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2324
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        15⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
        17⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2116
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        19⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1268
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        21⤵
        
        PID:684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2616
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        23⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3000
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        25⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        27⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe"
        28⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        29⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8f687b72e9cf511f5fe7abb4b4e4476

SHA1
5dceca00f3c9ab8efee874f2d64eec23b25417a6

SHA256
3a2936047062f918b7f262bf834dd699fe602e07587855799f2c273eb7dc45ae

SHA512
d9dcf458de13b126e4289e85398c4c743ebc2977274f5b92172562469717e99bb27e6007bb151e51500a2d4e26638df496c59a0ba734b449ebb7eca333d34222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faefcd4439c37259e019271f36d71833

SHA1
fc3b6453d96b48ddfd49b4e1e4f6dd21ea3e07fc

SHA256
c8b383b9543cb768158cef274684bc6a32bee62d8c4ba5dc66ab5fc08eeba5f1

SHA512
9a225fe735671ec49ea6c88c99dafd8b61e6405ce0918187e2ad92c35aa0a27bc0d9bf754b61f4a58511a2cffe937f0a8c9131426683bfe5e3f30c2587659eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0553e462e32855fadc2eaa0145e84557

SHA1
50626531ed43632c1817ed6e7aa80aa74f5cc4a9

SHA256
8f9e6efee5a2a4e8f34da2138f1cffbf077f40b0c1511ea6891d22e3dc4d45fc

SHA512
2a62b969b63f9bf441a6bc6d5eab61a7159ccec9ce86ab2b974ae519e4d7608b4babbcc53bfa79aa1ed8c30b59e76c434ab06d8f96cdd8088d760ce21ee36d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60906de1b97fc17e058bb3de7c4940d6

SHA1
51fccb8c8cd6f09d3845460afc2cb86eae276ab5

SHA256
6ffb53b043e63031060030330ea1321ae516fbf3f141db27cb2a74715eeb27bd

SHA512
eab93c10b7a5de665448403b038b45813433fd565f565014d4e2a9b6d9451bb38f32b3f071698112566d7e321778b3e8fa41123db3ea5fa839d9841c447dd190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5519de989f54c559d2f1bb93dae16182

SHA1
30cd359867d353aa8e1241db89cb43e9a4b87442

SHA256
b0f0392d4bbea64cb19b6cecf474d3bdf35749dd545055417d95aa7e67374ff0

SHA512
3b5e9fa5bc0aba58e0d3926bf04590008dda7f2eb99652968e0d3b79dc86ce7edb8af7144613b764aa4f8076e4f99cba0835c91bb5135a4eb416ac69dc640c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b42613ce15d54534752df7f44bc45de0

SHA1
c92e547eb6011efa411f26f35ad5d980fce0ee74

SHA256
1f846e5de473bbb80ea960dd6438758117c1c579a989b66125c68a5dc855d7fd

SHA512
d265ff85ed3722f71e8a1a071f614c28f9e85afcbba87d5e4533aeb9b2e68404183cd27fde02043fa1a838a276df6e9f4c8109cbe239b5f30aa3b52e5309113f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f8b56cb00d7988c223a870aba297581

SHA1
894ae9e8b205c3e950d1ed81b5be03d4c5a50cfe

SHA256
6ee345abd20ab0f6e435f8718b2addfcc819456a8238a58d2d112ae1f9fcd48f

SHA512
7051cc182d9b20fbaf509ffeec57d7a604cb3cd03986323ba8bac62126fda2eba7548939c27a04583e75ec576bf485e1cc01e34d2d3967506ad376bfbd89b0ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef584c71228e02570a7e00debef0e182

SHA1
094bb7f77fcc6b4adf0d98d620e79c27951fa332

SHA256
85e68d376a36f1df76218a4295a4a6a9c0948a4cc3325caef837835112a0e461

SHA512
c37c774c113254126a536ff1a03854010a269c6b3bcd4ec04154174bdbbbed78225a364b1d2c898e2aa759008354f57bd6f4971ae7fcc3e4f24faedf56b4afe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3af9b7ebf3a4cd29e02855f0f0a2e19

SHA1
dc5eb1a4904d709e21659a636bc079ac279a3a67

SHA256
e08e9d25800039b6261a63bbf875b1f8451f87fb5b6ed907d451e5f54d4f0496

SHA512
3a914456cff03be346d92d0a310f128039b7ffd25e2d8a3a0dab2f1028abda338603032cd6ba70ed0d82733eec86774eb5d219405d2a1fd388ee31a02ca09840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15c7d8a7e96fee5829eacbaaa2b5f712

SHA1
385bb4ada9d58b23f06fd7ddbb770b705c8d4e9e

SHA256
5a883d8ab02a9211f89257935431813ac824cea1d5041c584b80e52cdef8f1a8

SHA512
fce832220325aec481fb300c966ba614f639277b87b66fcccd0be7bb960439c81562c0e0a7311aea668d36d61b607d6b48301fc2ea2a9b8c65cade5e94a2b515

Download Submit
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

Filesize
251B

MD5
b9b0385bb3bd7765089bb7d3ae6895c6

SHA1
15b2b597ad5bdce7dbcdb657ef932f3dc6e1b1c8

SHA256
c2d10ee852c5eea0dd8eeab19e4f1968f17f574fbbb5571987b4700e91e5320f

SHA512
b7a0475df02257bfdfedd7d6699432f05d5a111d20cb5a7c7834a39a70479b72cb537bbd2a7ba2bd9ab93549ef0d67713667f70807fd1495c3476016b996bea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ZfhZSFjje.bat

Filesize
251B

MD5
a6102b912c3df0689a643c98d4bbe532

SHA1
8c607639881b143e3be4df395defd4d3dbeb7eaf

SHA256
10a37c94ab1b86a931802065038538d6544dd361a59286e8f0ddc3e63dde7be5

SHA512
11f4ee476d469278cb0731863324ebeda0104df6079e17f0cc2fd9b29646e8435f6649e26a06fd7962e734530706106ed0a5381ea9a3982cbf1e5ef779c2d6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB3D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
251B

MD5
441543a857e3d22e31ee0e9debf68dc6

SHA1
439927af6c0fb4dc8585453bc567985db632cfb2

SHA256
239a5acbdd30c1dcc751d56a5fb64726c0ada7c9a47882534db36656ceaa0f03

SHA512
bf3e8e5dd9c27e77bc2f2f61eb39817bcfb43e2ec20507ac89bbca1b70a2009504c905a3c41f671ecb1196f17e0d09e0b4d3c2edb5734bdf066720ed370c82f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
251B

MD5
23aa065970e6c511fb70aacd50f9ca38

SHA1
0e3ee477d22241b7a520bfe5c9abde1af7f84d91

SHA256
eefd6f2b210d86639a3b73f0405daa144ef3e1bb4ec485c776f75f09e031603c

SHA512
c0c9d0ad9072f28cccfa1e8c7841fa29d3a768d31358d61d2d84f77fb61da8abfe9bdf5ebd32327fa8aa4f8f62c8aaa79edefdc706ba141caac33b92a5d0883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3E9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
251B

MD5
9409fb621de99e62ef2331f0b4fedf9a

SHA1
1b12d5e8dc44d7afbd89df941e5fdccd5bba7da7

SHA256
7c4a5115862fb89ac7553466d9533e4a3a44b4d47796cb0659e58a0e50365e1e

SHA512
44dc835575c56a7c36714c6bf855e6fe2328c80513733eaf307c6bf96e6140ba5003ef8f66f3d813ffc25badc77f16e5b41ec8c5b12f0aa8706f9af7544b7b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
251B

MD5
23c2b64f680de06ebb6cfdc28309cb0f

SHA1
90a88e2260da1c9c1e56f8972fc53998ce6ecfd3

SHA256
3bea1dcedd09e5ee781703a5a289958966948d05d49d6d15bd4d4bc38ee246bd

SHA512
4e6fc6736281a7fd4fb374ecc2ebaf983982da399d1e51e122dfc03eadc773bf9fcbab33fa096db4b80a28f34f6aa28aa946d69d91880bf54971b9f5452ec532

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
251B

MD5
8cf18cf5ea09bb690bfe88cb4c9393f9

SHA1
8a89b5d72d709af50267a8914b70d3fb2d8cadc8

SHA256
07e621b565c6c91d2c7d5ea0a2ef6c6ae50d7b1849d281188160836aa8c69f92

SHA512
3ada3e84919e2707e60f5dbc6b5c3314b98db6f32cc88f3a0b98895a7d31071d2cd428fae0cf1adf44a48de691670ccffa3b0898382af28e67648797fccbc6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
251B

MD5
9932e54206ce03b1d5c124626c6992f2

SHA1
36e688efd4740c32eb1f86a28c6fa30c51fdd907

SHA256
973f8dc664fc3a36bd492862dbb0c496da951a15db2268af630e37cdb6c8957a

SHA512
1eaa9738e8a90e01adcd77412da4708192d8e2cb3720ee5a4b102e0fbf9b261da680e8c71b30665bcd56a18bb1025240afc1d5cdea5e103d46dd954045f35a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
251B

MD5
278d8656e5d3dff00613731d1b5d96e8

SHA1
196e4d526b703dad8650a76125a7572ef19df408

SHA256
21bbb327c4ab29b94a9b04896bbe3e2947968f0b22161098da57a857306afa06

SHA512
e8b48fb28383f49f210a31eafae6349ac947251b02b6b7586550e7666341a18c0e6998d2682ee83dfbfd936127f2178f0e024db51a0175ec70cf54dfc7e47df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
251B

MD5
1eb693985e034441b3df642602c64044

SHA1
c166de261f4ba00de45afd404d6af946449d4047

SHA256
b6f24077393146d3c63994a4235564fd4ac6a25cdca524caaaea61496c0c3f22

SHA512
72865aeb3da4c62774502603a07bb7d76571755b2e22a0de016346c3867b94e9f399e40f6e2842f10e1e372fb5f530e9946e5d97b8796f242dfaea7a641afae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
251B

MD5
d814af87862291c80d64db29f7020462

SHA1
64f7422b1b10d76927f7432d558d72d5eb7a87e4

SHA256
383d4b16d0f1c65eb34303505c4d949b47ae8e2647195e62e0b108c51ce6e6d1

SHA512
6521b4a2229ee103a3b0797414264a102b39c2e226167785d48ba455cee6c36478ebba4fe314dfe6b8fc7a22fe7e1ade42d71e2839817c92b72449f91dacbbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
251B

MD5
39a434e54e6bcbfbdb43603e65a46cb5

SHA1
8a32f2a2f4fcb219ac1fb1b24fb5398f954b9a13

SHA256
ad1c5270e3f16802ed4df4ccce01fd595b5273302944a2956fb694b4d34a958d

SHA512
6726d9ac9cbcbbf70a57ebfe775a878affb598232c54ea7c8c90d8cf00b4c0079558cb1fd3ae11d2f059e16529aee1bb15b952c1625860f9e196a54c24b9133f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
51ccdb57c577573c780f05bf88f55d93

SHA1
eb13d2b68bc87c4c128cd911a5f429ab2226ac89

SHA256
b9e568adc18a6403e373c14f9ff6c92d0795c7fa69339d37c807de42e10bc1d1

SHA512
fdf87dc4d47b9d9047970752b8b60436df944b499543bd1a25126b2bad2032e1bb93f6310dcffcc595d08413b8b8960edb494dedae8b204365a4ce28d35f2860

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1088-56-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1132-416-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/1596-115-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/1640-476-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/2096-536-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2196-355-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2196-356-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2308-235-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2416-295-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2744-175-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2816-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2816-13-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2816-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2816-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2816-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2988-596-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2988-597-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3068-39-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/3068-43-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download