dcrat | 4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe
Size

1.3MB
MD5

ba144622059d2c1647627a5c594c8f41
SHA1

1e6ff76e4cc062333360dec581788047a35d01da
SHA256

4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac
SHA512

e36c36866120bd8b379fbe38ca405799543566045c99e1177abd018afcd106844d6fadeaf6e9dc3f306a57c10f332585d6600ad6117ed5a187ec7155f15c3ed9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2624	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0b-9.dat	dcrat
behavioral1/memory/2728-13-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/2580-80-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1420-139-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1052-199-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/1040-259-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2480-319-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/3028-438-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2828-616-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
2656	powershell.exe
1324	powershell.exe
2116	powershell.exe
2948	powershell.exe
2716	powershell.exe
2584	powershell.exe
2496	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2728	DllCommonsvc.exe
2580	cmd.exe
1420	cmd.exe
1052	cmd.exe
1040	cmd.exe
2480	cmd.exe
1516	cmd.exe
3028	cmd.exe
1908	cmd.exe
1956	cmd.exe
2828	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	cmd.exe
2920	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2976	schtasks.exe
2720	schtasks.exe
600	schtasks.exe
1908	schtasks.exe
2356	schtasks.exe
1684	schtasks.exe
1944	schtasks.exe
1688	schtasks.exe
2632	schtasks.exe
2660	schtasks.exe
2168	schtasks.exe
1976	schtasks.exe
2604	schtasks.exe
288	schtasks.exe
1740	schtasks.exe
320	schtasks.exe
1372	schtasks.exe
2688	schtasks.exe
3052	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2728	DllCommonsvc.exe
2496	powershell.exe
2584	powershell.exe
1324	powershell.exe
2656	powershell.exe
2716	powershell.exe
2116	powershell.exe
2948	powershell.exe
2236	powershell.exe
2580	cmd.exe
1420	cmd.exe
1052	cmd.exe
1040	cmd.exe
2480	cmd.exe
1516	cmd.exe
3028	cmd.exe
1908	cmd.exe
1956	cmd.exe
2828	cmd.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	DllCommonsvc.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2580	cmd.exe
Token: SeDebugPrivilege	1420	cmd.exe
Token: SeDebugPrivilege	1052	cmd.exe
Token: SeDebugPrivilege	1040	cmd.exe
Token: SeDebugPrivilege	2480	cmd.exe
Token: SeDebugPrivilege	1516	cmd.exe
Token: SeDebugPrivilege	3028	cmd.exe
Token: SeDebugPrivilege	1908	cmd.exe
Token: SeDebugPrivilege	1956	cmd.exe
Token: SeDebugPrivilege	2828	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1568	2700	4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe	30
PID 2700 wrote to memory of 1568	2700	4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe	30
PID 2700 wrote to memory of 1568	2700	4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe	30
PID 2700 wrote to memory of 1568	2700	4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe	30
PID 1568 wrote to memory of 2920	1568	WScript.exe	31
PID 1568 wrote to memory of 2920	1568	WScript.exe	31
PID 1568 wrote to memory of 2920	1568	WScript.exe	31
PID 1568 wrote to memory of 2920	1568	WScript.exe	31
PID 2920 wrote to memory of 2728	2920	cmd.exe	33
PID 2920 wrote to memory of 2728	2920	cmd.exe	33
PID 2920 wrote to memory of 2728	2920	cmd.exe	33
PID 2920 wrote to memory of 2728	2920	cmd.exe	33
PID 2728 wrote to memory of 2948	2728	DllCommonsvc.exe	56
PID 2728 wrote to memory of 2948	2728	DllCommonsvc.exe	56
PID 2728 wrote to memory of 2948	2728	DllCommonsvc.exe	56
PID 2728 wrote to memory of 2716	2728	DllCommonsvc.exe	57
PID 2728 wrote to memory of 2716	2728	DllCommonsvc.exe	57
PID 2728 wrote to memory of 2716	2728	DllCommonsvc.exe	57
PID 2728 wrote to memory of 2584	2728	DllCommonsvc.exe	58
PID 2728 wrote to memory of 2584	2728	DllCommonsvc.exe	58
PID 2728 wrote to memory of 2584	2728	DllCommonsvc.exe	58
PID 2728 wrote to memory of 2496	2728	DllCommonsvc.exe	59
PID 2728 wrote to memory of 2496	2728	DllCommonsvc.exe	59
PID 2728 wrote to memory of 2496	2728	DllCommonsvc.exe	59
PID 2728 wrote to memory of 2236	2728	DllCommonsvc.exe	60
PID 2728 wrote to memory of 2236	2728	DllCommonsvc.exe	60
PID 2728 wrote to memory of 2236	2728	DllCommonsvc.exe	60
PID 2728 wrote to memory of 2656	2728	DllCommonsvc.exe	61
PID 2728 wrote to memory of 2656	2728	DllCommonsvc.exe	61
PID 2728 wrote to memory of 2656	2728	DllCommonsvc.exe	61
PID 2728 wrote to memory of 1324	2728	DllCommonsvc.exe	62
PID 2728 wrote to memory of 1324	2728	DllCommonsvc.exe	62
PID 2728 wrote to memory of 1324	2728	DllCommonsvc.exe	62
PID 2728 wrote to memory of 2116	2728	DllCommonsvc.exe	63
PID 2728 wrote to memory of 2116	2728	DllCommonsvc.exe	63
PID 2728 wrote to memory of 2116	2728	DllCommonsvc.exe	63
PID 2728 wrote to memory of 1692	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 1692	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 1692	2728	DllCommonsvc.exe	72
PID 1692 wrote to memory of 1888	1692	cmd.exe	74
PID 1692 wrote to memory of 1888	1692	cmd.exe	74
PID 1692 wrote to memory of 1888	1692	cmd.exe	74
PID 1692 wrote to memory of 2580	1692	cmd.exe	76
PID 1692 wrote to memory of 2580	1692	cmd.exe	76
PID 1692 wrote to memory of 2580	1692	cmd.exe	76
PID 2580 wrote to memory of 304	2580	cmd.exe	77
PID 2580 wrote to memory of 304	2580	cmd.exe	77
PID 2580 wrote to memory of 304	2580	cmd.exe	77
PID 304 wrote to memory of 1872	304	cmd.exe	79
PID 304 wrote to memory of 1872	304	cmd.exe	79
PID 304 wrote to memory of 1872	304	cmd.exe	79
PID 304 wrote to memory of 1420	304	cmd.exe	80
PID 304 wrote to memory of 1420	304	cmd.exe	80
PID 304 wrote to memory of 1420	304	cmd.exe	80
PID 1420 wrote to memory of 1808	1420	cmd.exe	81
PID 1420 wrote to memory of 1808	1420	cmd.exe	81
PID 1420 wrote to memory of 1808	1420	cmd.exe	81
PID 1808 wrote to memory of 592	1808	cmd.exe	83
PID 1808 wrote to memory of 592	1808	cmd.exe	83
PID 1808 wrote to memory of 592	1808	cmd.exe	83
PID 1808 wrote to memory of 1052	1808	cmd.exe	84
PID 1808 wrote to memory of 1052	1808	cmd.exe	84
PID 1808 wrote to memory of 1052	1808	cmd.exe	84
PID 1052 wrote to memory of 2008	1052	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe
"C:\Users\Admin\AppData\Local\Temp\4a9879a7f5fc93527f80d4fdab885a205649dce0793dda01dda2192528894bac.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pZIYUXLBEp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1888
      - C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1872
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:592
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        11⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3044
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        13⤵
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:296
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        15⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1036
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
        17⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2116
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        19⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:912
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        21⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1996
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
        23⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2212
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        25⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b72603266becab8cb3e1792e42f9d782

SHA1
58287bc9eb6e4ffb12526150f2ce6e96cac1213b

SHA256
922d7c3c8f633ae06f41886a73213f0a8c50b97874e5ed775c10bf206873e0f6

SHA512
bdf6717201476d89b3529ecfc1678d2705b90c86fb4e31749ac03de97f088b594e8d8b12d0b8783be41b6d54880cb6a28b3af198c079c65a258278dc3d49a697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b986565771dccf57fa7e2ad150238e5

SHA1
75d2c481b96f39f2844ffa47065788bf7b5b1b87

SHA256
31c12671cf63365fa096428a936e0b1e401b259acf11db6b14934dad0bbbe128

SHA512
b27477026999926c8417891d1e7f01e485f922a9a81d9998aa08d56adcfe118282f08624e6db880a2aa3b73085349a9e8d85dafa1bb371ddf95f65243241a184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0903d7c4ef408440c22a444a1eada17

SHA1
4f0e4fbcc65b61fd18410b06669bfe6bfbc4a7d5

SHA256
d18302b56d9b2dd46ba65ff570712a96d57ef0ad17f9dc8f719e5a79a7942071

SHA512
a9e590aa747be7f1b9bb2df269b19f5a1a9d4edbbca8d6d4f3dd914aa606ac5940f3c044868722ba41b22acb8767174b644a40f33fb394b1710bc60a8056864d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbbe19499c1205a2c9c22cc42feebe4e

SHA1
80c303db0027b8890770e8a1c152bb61ba6d2fed

SHA256
5ec57ba732dd26036791be2d43e1f4ef03e52a93411b9e5ab9c566ab7c328453

SHA512
8a3ce8cecee3fe9149a1d2b65ec98153d0636a371d5244dc13cbda3596b9918f38977fa4d8d4ebceb610fbfa602b8c0f324997dc5f8524bf50eecfb6a1159b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65f0c32abe7a928d41867b9b7ec1ecf8

SHA1
8b203402ad15cd75e585b93cf3ab4e38abc9d59f

SHA256
b04110e1e17723f676bf72097e0bf1814997a7255329dca69123205ea41ef6d4

SHA512
ef2ce21ec51e968cd19c08019d94925570aad4b558e6c5dbb7d1b1027255b0044a62df3aca378b872e70e8debfb01b13b8dcc7fcf634f41b12eff82f944bb91c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b278b33ac373ac5c8d368ad8093b7aa8

SHA1
ff28d35bae557be541fd1da53ade8a44694f2ae1

SHA256
8dd8198d20fd57825a62531b8ac143cb771bbeaec55a6593511c500dbd66188f

SHA512
4d6911e9d36a49e7f45f2d11e7978971c28c13d473f7fcc12e6c4cb4c9e7444473b08ec357456aa356605449d8b8fd1dc096305d596c1fbcb5a413e6c3f8749b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b552f0b0f7559b915832263f91b62204

SHA1
a32da1348211741d7ab864ccb949632bb7ed3aa5

SHA256
b41fa3625ad67446be185c5b28534829c092820d01457176adb116ccc080f3df

SHA512
64070afdc70dec9b21624750f6856da8bd776afbb53a6894e4e3643af5ee14a2d0f8c04e982420f7ae768a712548b5899812fa7dfc778de487a5330ca371d742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88242ded02bdf47e287fe1b17cb28571

SHA1
785397d464349e28f983290aa43ede1b8d8c1c34

SHA256
dbffb69fe75250bf56134c0bc354f58ac3b5899a0b5742005c91cb5ae975be23

SHA512
75ccb7dc88c719f6994b4cf42ab817f0a904b31aaac17f3879be2c138bfc0ed10f6e4533bf751f400ed00a9ac9afac0d7f90d569cad0720b1afc7bff1a111811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
337857ddca1a7ae2a811c0d7a08147b7

SHA1
495d6d6657cc52f5384097dedcef232ef9a29560

SHA256
33dfb1caeb6cf553e0e343b21b11c9b8ca6c31149dd1c2b4f2a1325f307cb4ca

SHA512
81e1903bdecbefa7b1d54480b3cc38e4d8f443f86a6538a9510be3b0094002c580ec61de7a87d107bb50aabe1cf18693777a2f5dea3dd70f9c73ea345abec675

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDF0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
190B

MD5
739d179d5d94ddc90eb153b23efeb6eb

SHA1
3e20fd1818136ff10785691cd6a3370baa5dd9e8

SHA256
f4f8c160ffed9ce625b3ae8f266fcb70641ad8c5adfaedb917c267eae1077514

SHA512
935430bcac4582476829153c71f1991e85be04e62c70affe420df1f9ccd345ba70b295cbb71fa441fd1431bd599077a4a09430251945a2625933127aac03ff67

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
190B

MD5
4e9d59e2a56172b7d345ed9f2f227fa9

SHA1
15ad6278921b5cdb4bf4295c124ff6d8ea7442c0

SHA256
f6f5eda3efc983dcacc61196b4aad0364cbfe86ec5c608d59c1d34dfe47b3f88

SHA512
8c6e2c9a9a849ff6cbd00db53b36c84b1170a4cb50d9bca8194aa6008d4202efbd60735d34fc126f1c5dffb2ec1d3c09694afe202e2670231df779a7e1fe2888

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
190B

MD5
2f35c8f6215478f6c33a44478370e6d4

SHA1
723fc8a7142d4233c8dc653ce8c56c35086c4afa

SHA256
960e316109ccabd2fcf7fe3b853a22dfdec8aee694788f4ede0bb7966f511025

SHA512
043015785e2f6c51a80436ef10b3fc9216b1688b11488831e284741231db3c4069c32b8fb90659e872a98f34b09f8e6423fc42ab1284c1c932f6ed8287b2946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
190B

MD5
acbcc14cf96cf7ad09f460b29543dc0c

SHA1
c5f22f73d071b030d248819f145a55a8eee84dd8

SHA256
ef578d444b78ff28e18dc123f662bf89b8f122cd3482b1f44edc7590363e35e7

SHA512
5fbb12112d1c0d7091d4e4e41f6edb495c821f7ecf47ae4289f464032063a1cca936a2f4ca6a3d7d4957b6754dd0cea1f7e8b5e772b0d1eb08fe873545a5e736

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
190B

MD5
2e8510b0f08a6d62f727edd70db05692

SHA1
417c534b9789977b9d7e477c742c771a846a581e

SHA256
d6d53e518ef19081a38aa1a9008d5cbe77da67d8f1760e615e1fb2f64da77d29

SHA512
742c8635a398ba9bf0f58c2bf603c8757af570d1af0aad82f570407c54ec2e576a2ed25cb5e5e98254934b49c07efe2985a0eba9a9a26443d89240bf59042c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

Filesize
190B

MD5
c447804c3acfd9ce12c7a9205e525f52

SHA1
b3c5e5954c511919cb93648eb629042ebc31eed1

SHA256
f3abbbeac94e532789290bb6f7b54b2c03fc0b442336abef6d7f568836bcf437

SHA512
e321e2d09a26b77f64734afe3b06650546262d2e30116beb2674007429bf5349cacd6fbc9424461b7b444ad0664abc07e450f46a6180a4f073cd9c7662b08993

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE22.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
190B

MD5
418c31971b5686bf8d8d7abfae5439c3

SHA1
6236afbb6ba402a9047bcaabd55097f2e83da2a5

SHA256
9d51d582e08ede9798c9d8d5a1ae891375647c4c633a7c81719eb7a27287439e

SHA512
7c6604fb349afb5bf72ebf49cdc1729ae583aa2cfb8fc35e7f83614276608de73efcf6a6543968159a3cc8c7d072013e73193769c1950dbdea46201bbc6a7a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
190B

MD5
1c99fbb53f4ae0642727c1a638be355d

SHA1
1f966fdd1c19cbecb7c233295e01a2f6927ac81a

SHA256
4b589e2428a4c67928e345cfaa24c009a6e4826667d0dc70cb7099ee593bf8ba

SHA512
a49615f1b998635e8caafdb23326d97f472c3c18f26bb9d4323ce70101d953fd9d99940a0436ca4a048e5c0ffa4d44c51caf837c1a6fc5b5321468a17c748d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
190B

MD5
72a7d2f6536d3e36e1c9a614a6c7cc3f

SHA1
615a2428b234ba4db741716833f9ad19975a768b

SHA256
2f9f1abc96429eef79b3c3e1c71c198c349e73962ba3b8587a66734fa50cd678

SHA512
b63fc8656615eaec6485ef3a4d029bd4eabe1345bbf82e48550bbfda4c48eddf5c06e283342d23d42e151f6368769af513b43cff0c85bca0dfe10873a05ec266

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZIYUXLBEp.bat

Filesize
190B

MD5
8cd5dc21450647be00312e3077d21f2f

SHA1
824de0c4ed2b8c45c1ca1f188adc09189431a619

SHA256
ea520f008445c6e4201c17414213365ea94df5baea223acf19b7b19db8bcf44b

SHA512
ac929877d86856ba3989ec7951f579608255a7464d4ac7529da1a25be890577464d7dd336ad9c3c832edd56b6c2025967f37b882267e6dcdef0e0afe47947581

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

Filesize
190B

MD5
eb6a8aacc0738a3306098d309ace4860

SHA1
52f535c48e02f6cd4577c91664a5de3e9a832c89

SHA256
d24aa8e8606cf5c2ed7372a8e5b05e7d1e5347bb1df906db114540d4f5a9d191

SHA512
2ac544358f372deaf1dd52f0d71b350e380512df3c26335b34bd9feac64f7ad59d23e80cb4ac9c12a3722c4201b1c1bad9e46a3ca8193f40a11c40ee1e8d52eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
597fd608cb88c55fced85f95b3fe6e74

SHA1
03335c838d6d3776bb0c207cad62e0a9d1cc84e5

SHA256
2fa1a516e8eb82540b1ab7cd8158dbb6ceeb1395dcc019153e8ce78e2184e714

SHA512
0f45e061906d923dbe8db13e9b0c60250fd3dc27fdd63af3c56639cc0b3b2e5ec76662c54fea2456451fb0c42d045934ec167d98acddb49c605afbbea53a5389

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1040-259-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/1052-199-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/1420-139-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2480-319-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2496-49-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2496-51-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2580-80-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2728-17-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2728-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2728-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2728-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2728-13-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2828-616-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/3028-438-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download