dcrat | cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
Size

1.3MB
MD5

87ffa1a3f2fbce96323269f2daa4d238
SHA1

5ead778818b0859d08c5df91f0ac0e83914c259c
SHA256

cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486
SHA512

737b6964a54df3b6f51b7c80a2f177d8f7005083eb5817291e4523ecb003f1aea3032c0dcda74afb968127b240e31ee8b8d9e2d8e1dd047c0acf7faea738c7c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1408	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1408	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9f-9.dat	dcrat
behavioral2/memory/4724-13-0x0000000000770000-0x0000000000880000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5036	powershell.exe
228	powershell.exe
3896	powershell.exe
2884	powershell.exe
368	powershell.exe
2888	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 13 IoCs

pid	Process
4724	DllCommonsvc.exe
3316	lsass.exe
2308	lsass.exe
4912	lsass.exe
5004	lsass.exe
4984	lsass.exe
536	lsass.exe
4516	lsass.exe
1884	lsass.exe
660	lsass.exe
3924	lsass.exe
2008	lsass.exe
1848	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
41	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com
19	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com
42	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\dotnet\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\dotnet\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\121e5b5079f7c0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
1628	schtasks.exe
1780	schtasks.exe
1620	schtasks.exe
380	schtasks.exe
528	schtasks.exe
4964	schtasks.exe
3200	schtasks.exe
5068	schtasks.exe
4076	schtasks.exe
4356	schtasks.exe
3804	schtasks.exe
2728	schtasks.exe
1756	schtasks.exe
1204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4724	DllCommonsvc.exe
4724	DllCommonsvc.exe
4724	DllCommonsvc.exe
2888	powershell.exe
368	powershell.exe
3896	powershell.exe
5036	powershell.exe
5036	powershell.exe
368	powershell.exe
368	powershell.exe
2884	powershell.exe
2884	powershell.exe
228	powershell.exe
228	powershell.exe
2884	powershell.exe
2888	powershell.exe
2888	powershell.exe
3896	powershell.exe
3896	powershell.exe
5036	powershell.exe
228	powershell.exe
3316	lsass.exe
2308	lsass.exe
4912	lsass.exe
5004	lsass.exe
4984	lsass.exe
536	lsass.exe
4516	lsass.exe
1884	lsass.exe
660	lsass.exe
3924	lsass.exe
2008	lsass.exe
1848	lsass.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	DllCommonsvc.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3316	lsass.exe
Token: SeDebugPrivilege	2308	lsass.exe
Token: SeDebugPrivilege	4912	lsass.exe
Token: SeDebugPrivilege	5004	lsass.exe
Token: SeDebugPrivilege	4984	lsass.exe
Token: SeDebugPrivilege	536	lsass.exe
Token: SeDebugPrivilege	4516	lsass.exe
Token: SeDebugPrivilege	1884	lsass.exe
Token: SeDebugPrivilege	660	lsass.exe
Token: SeDebugPrivilege	3924	lsass.exe
Token: SeDebugPrivilege	2008	lsass.exe
Token: SeDebugPrivilege	1848	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1072	4676	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	82
PID 4676 wrote to memory of 1072	4676	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	82
PID 4676 wrote to memory of 1072	4676	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	82
PID 1072 wrote to memory of 3068	1072	WScript.exe	87
PID 1072 wrote to memory of 3068	1072	WScript.exe	87
PID 1072 wrote to memory of 3068	1072	WScript.exe	87
PID 3068 wrote to memory of 4724	3068	cmd.exe	89
PID 3068 wrote to memory of 4724	3068	cmd.exe	89
PID 4724 wrote to memory of 228	4724	DllCommonsvc.exe	105
PID 4724 wrote to memory of 228	4724	DllCommonsvc.exe	105
PID 4724 wrote to memory of 3896	4724	DllCommonsvc.exe	106
PID 4724 wrote to memory of 3896	4724	DllCommonsvc.exe	106
PID 4724 wrote to memory of 2884	4724	DllCommonsvc.exe	107
PID 4724 wrote to memory of 2884	4724	DllCommonsvc.exe	107
PID 4724 wrote to memory of 368	4724	DllCommonsvc.exe	108
PID 4724 wrote to memory of 368	4724	DllCommonsvc.exe	108
PID 4724 wrote to memory of 2888	4724	DllCommonsvc.exe	109
PID 4724 wrote to memory of 2888	4724	DllCommonsvc.exe	109
PID 4724 wrote to memory of 5036	4724	DllCommonsvc.exe	110
PID 4724 wrote to memory of 5036	4724	DllCommonsvc.exe	110
PID 4724 wrote to memory of 1704	4724	DllCommonsvc.exe	117
PID 4724 wrote to memory of 1704	4724	DllCommonsvc.exe	117
PID 1704 wrote to memory of 2912	1704	cmd.exe	119
PID 1704 wrote to memory of 2912	1704	cmd.exe	119
PID 1704 wrote to memory of 3316	1704	cmd.exe	123
PID 1704 wrote to memory of 3316	1704	cmd.exe	123
PID 3316 wrote to memory of 5080	3316	lsass.exe	124
PID 3316 wrote to memory of 5080	3316	lsass.exe	124
PID 5080 wrote to memory of 4852	5080	cmd.exe	126
PID 5080 wrote to memory of 4852	5080	cmd.exe	126
PID 5080 wrote to memory of 2308	5080	cmd.exe	127
PID 5080 wrote to memory of 2308	5080	cmd.exe	127
PID 2308 wrote to memory of 1432	2308	lsass.exe	129
PID 2308 wrote to memory of 1432	2308	lsass.exe	129
PID 1432 wrote to memory of 2460	1432	cmd.exe	131
PID 1432 wrote to memory of 2460	1432	cmd.exe	131
PID 1432 wrote to memory of 4912	1432	cmd.exe	133
PID 1432 wrote to memory of 4912	1432	cmd.exe	133
PID 4912 wrote to memory of 4724	4912	lsass.exe	134
PID 4912 wrote to memory of 4724	4912	lsass.exe	134
PID 4724 wrote to memory of 1768	4724	cmd.exe	136
PID 4724 wrote to memory of 1768	4724	cmd.exe	136
PID 4724 wrote to memory of 5004	4724	cmd.exe	137
PID 4724 wrote to memory of 5004	4724	cmd.exe	137
PID 5004 wrote to memory of 3084	5004	lsass.exe	138
PID 5004 wrote to memory of 3084	5004	lsass.exe	138
PID 3084 wrote to memory of 2240	3084	cmd.exe	140
PID 3084 wrote to memory of 2240	3084	cmd.exe	140
PID 3084 wrote to memory of 4984	3084	cmd.exe	141
PID 3084 wrote to memory of 4984	3084	cmd.exe	141
PID 4984 wrote to memory of 1624	4984	lsass.exe	142
PID 4984 wrote to memory of 1624	4984	lsass.exe	142
PID 1624 wrote to memory of 2836	1624	cmd.exe	144
PID 1624 wrote to memory of 2836	1624	cmd.exe	144
PID 1624 wrote to memory of 536	1624	cmd.exe	145
PID 1624 wrote to memory of 536	1624	cmd.exe	145
PID 536 wrote to memory of 1164	536	lsass.exe	146
PID 536 wrote to memory of 1164	536	lsass.exe	146
PID 1164 wrote to memory of 2100	1164	cmd.exe	148
PID 1164 wrote to memory of 2100	1164	cmd.exe	148
PID 1164 wrote to memory of 4516	1164	cmd.exe	149
PID 1164 wrote to memory of 4516	1164	cmd.exe	149
PID 4516 wrote to memory of 4368	4516	lsass.exe	150
PID 4516 wrote to memory of 4368	4516	lsass.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
"C:\Users\Admin\AppData\Local\Temp\cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvqyh5QgiF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2912
      - C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4852
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2460
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1768
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2240
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2836
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2100
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        19⤵
        
        PID:4368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1500
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        21⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4544
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        23⤵
        
        PID:3140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2916
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        25⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1288
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        27⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4984
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
196B

MD5
e8ef2be06b75b723ec2e71d522f09c09

SHA1
9bd596fc4931f13da0f7067d3467cd25b6bb4231

SHA256
36fa82dfd21defd3735d048362a7b4846483625ae78be024ace17e6c831d20a4

SHA512
1a6e34dcbf4506ea1ec1b0aec36eb3a3838c8796fbadbb5bd86cd230cad48100cea1dfb668c3432237310d41d108b37c5babe93ed45688cb509f11c16bb03c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
196B

MD5
edd421844c6067df660384d272ba476a

SHA1
1ee7c46a73c3fa78d77e51888baf90199f7d519d

SHA256
70d8f0e902629299228a18ba390f2c3c386c161e9fe3ab4eaf01b6af2f8746e2

SHA512
c3d04ba2d5c8771acc12833453d1fc82dee6fd8ff1372e0c1fa12b090c389535d75514e31f5236fb36220195cb1df5b47df0c572688058ff45947e1ee79c920b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
196B

MD5
b37bcff8fba04cd7c7c72fb4320c562f

SHA1
13313cad3b57871998efd9e020462f2c3b8b6cac

SHA256
e6e97067022b8891a0966d93eb012108e48e680e6e17910f3666eb1518317c89

SHA512
27dfd98584f2d42c38715c16335bb92f6be121df32292167cf78b7989dc7fa6c7209cc1bb244d7c255230fbc3a4fe86845f60010134c3c1809d1c96c752471cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

Filesize
196B

MD5
06b0437885bdabcedf39bf1837c566d6

SHA1
dcd24f803796a74dae1fdc888049bd76bd12d07f

SHA256
149fb2898de0c8d1a8a7d331cef4d4d779a8acd56748ddc51388bea18f73bcad

SHA512
182313182d66c563b9e1b69306164764a3a0b5cd73a109a212e39f38bf6040ff6f0ebd332ec79bc4575dfae418822c1c39bbd8d8e97a68d1e85f5bd42479d2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
196B

MD5
34a0cc33868929cc56a1e8dc0bda85b8

SHA1
1fcd0e652064f65e2b8b1dac3e4f4cfb5d7466ce

SHA256
fc622255fcc0824ab234e6239270aa1cd9f5141faeb38fb6d9c0690989d5d394

SHA512
eb26ba4be4a91b79abdd7c02f35df772c48ee13bb7e56d7d7ab807286d421c4ff886ed900a79e5140ca77905cf14939a1f9867bf4238c0f43e61ef34546e18aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lvqyh5QgiF.bat

Filesize
196B

MD5
82881891ea4b9884327359e7463e91d1

SHA1
873de3be54c13ab1197df4575105bfb15c925b85

SHA256
f32f6f830ea6021cd19ecda1018a2cb2f649c8776cbbde9f720e488910587acc

SHA512
c5b28754d57fc3c740c40ef5c2dd2883e19df9004badb1e163a20ec69d0ad722234d5ba487aa222b23ccc02e84d721b3028fef5af173b592d1fd7f6c88726e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
196B

MD5
013e7efc54aaca56f8cf7bd61568bc32

SHA1
22b5f60cf5ac8a92c5748ece19c5895f979b1aff

SHA256
e9e2f0e3867dd5da00996e1388c7012b4ace70b8bead1a2f95fb1edfb975f3b3

SHA512
728dfad942e70403634c435729509b2b6afc959975f27f71ccc8826ad576618e0df96a56336a7edc135fd840071891c29ad1041a5ce51df452d17027293e690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
196B

MD5
846925a40094326c4d5bef9074693ca1

SHA1
2958e76a25ff301febf61a412ffe5d81cdb27b75

SHA256
98353ef5689638bf46753d36a6a26d86aedbaaae5baf4be1ccd939346e2a5348

SHA512
b40b0ec9ee15e6ef06757f9b53f7298395547cf8e71d65124868a31f6fff4a910d2092f4b4d94c6a19bd5fcf24c0f9f51b41cf7bfec086e5eb26117f77c3ebad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwhnnvfn.p41.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat

Filesize
196B

MD5
c9d2d239c91c1b876a89280a35def498

SHA1
403fd7e208c57618d07ed23f2910d9d85a79efa9

SHA256
f15edfa4a21f34926bc6dd23acf8e050adfeacd25872ec59cf68b5b0ec116353

SHA512
edb8fcff3f1cb36c389e8640657557165b35976ba033a2bff4bbe9f9cb8afb235468663dcf86a3cb5d5636b9df4139094c1e34fbc19147eb65bbe1f15066b206

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
196B

MD5
1dd914ffe6ecd5ef5e67cef0fd7462c2

SHA1
df17d66730456a531874d08d7522501e6c461c1d

SHA256
8aa8f6e20d4a57671cf9d3ec81cc7332f218db8cb2ade2707b9a794ba11f5c61

SHA512
77c51834de94d7275e60d605e2afeacbc0c3943634040adfb03c00838a789a61c75335995c4756c6f56a28a48ba4f2ba6dcee0136da2704db3420007ce3fca69

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
196B

MD5
1d816a7808e65429226ee3ec5869ff58

SHA1
39f3d1a558481dc5bc13314dcf3eb138430fff3d

SHA256
e6ffe98d4e1c19408a5c75d237145a6dd6eb7f7560c5e2b2b076f83e5fa1bf7e

SHA512
6250bde3de7a3313fc39a6396e1365d64c19e574b8c38bf1d121977968be1c709612a380d601570eccf6da1b0d28a8acda98c1f99afcc457e2836efb0346ecb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
196B

MD5
02ecf3d3e6d9b29be3627083949d0a6c

SHA1
1d1abe3d896cbf9abbaecc2913b55b71bae95666

SHA256
b6fb6f6205474e837080abe7ee703de088684915b6185b0292728e944a6aba62

SHA512
acc8230b6040ac86c87e49b6b8497e8f40c968ac8b311e19d59022c65323698bc7eee604549a0795952684f091d589aa79282aa57d250afafc96edb0d94f6882

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-139-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/660-159-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/1884-152-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/2008-172-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/2308-114-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/2888-32-0x000002AAF1630000-0x000002AAF1652000-memory.dmp

Filesize
136KB

Download
memory/3316-105-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download
memory/4724-14-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/4724-15-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/4724-13-0x0000000000770000-0x0000000000880000-memory.dmp

Filesize
1.1MB

Download
memory/4724-12-0x00007FFEE9563000-0x00007FFEE9565000-memory.dmp

Filesize
8KB

Download
memory/4724-16-0x0000000002900000-0x000000000290C000-memory.dmp

Filesize
48KB

Download
memory/4724-17-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download