dcrat | fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe
Size

1.3MB
MD5

381e4d36ee5e779c5c33fb1ce714d648
SHA1

8585e4227375db510680059b520b9b4fe84e0324
SHA256

fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438
SHA512

b1393397e0fea5365136284c746000be60e7d1895308ade45beab74af166fdf1e6b5988c08775eed3b414c022749176cced77060dd31e23d4097ecda07c94ad5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2876	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-11.dat	dcrat
behavioral1/memory/2220-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/404-58-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2656-131-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1620-191-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/1188-251-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/1536-311-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1804-431-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1188-491-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/936-551-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2028-611-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/2004-672-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/2580-732-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1300	powershell.exe
2912	powershell.exe
1148	powershell.exe
2940	powershell.exe
2936	powershell.exe
2960	powershell.exe
2904	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2220	DllCommonsvc.exe
404	services.exe
2656	services.exe
1620	services.exe
1188	services.exe
1536	services.exe
2144	services.exe
1804	services.exe
1188	services.exe
936	services.exe
2028	services.exe
2004	services.exe
2580	services.exe

Loads dropped DLL 2 IoCs

pid	Process
1256	cmd.exe
1256	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\addins\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
660	schtasks.exe
676	schtasks.exe
756	schtasks.exe
2596	schtasks.exe
2460	schtasks.exe
1792	schtasks.exe
1796	schtasks.exe
2620	schtasks.exe
2660	schtasks.exe
1860	schtasks.exe
760	schtasks.exe
2500	schtasks.exe
2916	schtasks.exe
2764	schtasks.exe
1244	schtasks.exe
1808	schtasks.exe
928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2220	DllCommonsvc.exe
2912	powershell.exe
1300	powershell.exe
1148	powershell.exe
2940	powershell.exe
2904	powershell.exe
2960	powershell.exe
2936	powershell.exe
404	services.exe
2656	services.exe
1620	services.exe
1188	services.exe
1536	services.exe
2144	services.exe
1804	services.exe
1188	services.exe
936	services.exe
2028	services.exe
2004	services.exe
2580	services.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	DllCommonsvc.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	404	services.exe
Token: SeDebugPrivilege	2656	services.exe
Token: SeDebugPrivilege	1620	services.exe
Token: SeDebugPrivilege	1188	services.exe
Token: SeDebugPrivilege	1536	services.exe
Token: SeDebugPrivilege	2144	services.exe
Token: SeDebugPrivilege	1804	services.exe
Token: SeDebugPrivilege	1188	services.exe
Token: SeDebugPrivilege	936	services.exe
Token: SeDebugPrivilege	2028	services.exe
Token: SeDebugPrivilege	2004	services.exe
Token: SeDebugPrivilege	2580	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2412	2396	JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe	30
PID 2396 wrote to memory of 2412	2396	JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe	30
PID 2396 wrote to memory of 2412	2396	JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe	30
PID 2396 wrote to memory of 2412	2396	JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe	30
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 2220 wrote to memory of 2912	2220	DllCommonsvc.exe	53
PID 2220 wrote to memory of 2912	2220	DllCommonsvc.exe	53
PID 2220 wrote to memory of 2912	2220	DllCommonsvc.exe	53
PID 2220 wrote to memory of 1300	2220	DllCommonsvc.exe	54
PID 2220 wrote to memory of 1300	2220	DllCommonsvc.exe	54
PID 2220 wrote to memory of 1300	2220	DllCommonsvc.exe	54
PID 2220 wrote to memory of 2904	2220	DllCommonsvc.exe	55
PID 2220 wrote to memory of 2904	2220	DllCommonsvc.exe	55
PID 2220 wrote to memory of 2904	2220	DllCommonsvc.exe	55
PID 2220 wrote to memory of 1148	2220	DllCommonsvc.exe	59
PID 2220 wrote to memory of 1148	2220	DllCommonsvc.exe	59
PID 2220 wrote to memory of 1148	2220	DllCommonsvc.exe	59
PID 2220 wrote to memory of 2960	2220	DllCommonsvc.exe	60
PID 2220 wrote to memory of 2960	2220	DllCommonsvc.exe	60
PID 2220 wrote to memory of 2960	2220	DllCommonsvc.exe	60
PID 2220 wrote to memory of 2936	2220	DllCommonsvc.exe	61
PID 2220 wrote to memory of 2936	2220	DllCommonsvc.exe	61
PID 2220 wrote to memory of 2936	2220	DllCommonsvc.exe	61
PID 2220 wrote to memory of 2940	2220	DllCommonsvc.exe	64
PID 2220 wrote to memory of 2940	2220	DllCommonsvc.exe	64
PID 2220 wrote to memory of 2940	2220	DllCommonsvc.exe	64
PID 2220 wrote to memory of 404	2220	DllCommonsvc.exe	67
PID 2220 wrote to memory of 404	2220	DllCommonsvc.exe	67
PID 2220 wrote to memory of 404	2220	DllCommonsvc.exe	67
PID 404 wrote to memory of 1788	404	services.exe	69
PID 404 wrote to memory of 1788	404	services.exe	69
PID 404 wrote to memory of 1788	404	services.exe	69
PID 1788 wrote to memory of 1480	1788	cmd.exe	71
PID 1788 wrote to memory of 1480	1788	cmd.exe	71
PID 1788 wrote to memory of 1480	1788	cmd.exe	71
PID 1788 wrote to memory of 2656	1788	cmd.exe	72
PID 1788 wrote to memory of 2656	1788	cmd.exe	72
PID 1788 wrote to memory of 2656	1788	cmd.exe	72
PID 2656 wrote to memory of 1952	2656	services.exe	73
PID 2656 wrote to memory of 1952	2656	services.exe	73
PID 2656 wrote to memory of 1952	2656	services.exe	73
PID 1952 wrote to memory of 2596	1952	cmd.exe	75
PID 1952 wrote to memory of 2596	1952	cmd.exe	75
PID 1952 wrote to memory of 2596	1952	cmd.exe	75
PID 1952 wrote to memory of 1620	1952	cmd.exe	76
PID 1952 wrote to memory of 1620	1952	cmd.exe	76
PID 1952 wrote to memory of 1620	1952	cmd.exe	76
PID 1620 wrote to memory of 1624	1620	services.exe	77
PID 1620 wrote to memory of 1624	1620	services.exe	77
PID 1620 wrote to memory of 1624	1620	services.exe	77
PID 1624 wrote to memory of 1648	1624	cmd.exe	79
PID 1624 wrote to memory of 1648	1624	cmd.exe	79
PID 1624 wrote to memory of 1648	1624	cmd.exe	79
PID 1624 wrote to memory of 1188	1624	cmd.exe	80
PID 1624 wrote to memory of 1188	1624	cmd.exe	80
PID 1624 wrote to memory of 1188	1624	cmd.exe	80
PID 1188 wrote to memory of 2748	1188	services.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fadf89f6cb9cdee1f1bdbb302ff51b15035737e42abb9b2f56d02985d85f1438.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1480
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2596
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1648
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        12⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1556
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        14⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2600
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        16⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1300
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        18⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1812
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        20⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2252
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        22⤵
        
        PID:1856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2784
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        24⤵
        
        PID:1232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2396
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        26⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1868
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\addins\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37bf6fc6083ebe8c2020a346b56fc6de

SHA1
a861a779684196e2b123448d539b093d0fb9f677

SHA256
5d75e888a94eca0138c507e3b4b0374ec341fb3ef1ff497acf887b3af0e27003

SHA512
e2c32315607094170ec49418d44331df6c42cab230f6f7c7ab154131687e60ab4c85b0a869f23781776ea867a0d51b5d1c924e8e77c665a38984728c2fd3147c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e0bcf39396d81f3bb44dc443eb48824

SHA1
ea696903cab639dc51746a62baba6b479fcf6bed

SHA256
a90b702374698d909d9e9b079bc4d41370da80bd64e3b71821ecad6cb2e921cd

SHA512
40dc8d18cd7a7c2724a14adf7b44dc0df2c70aa6e0d07bdf24297cbd43645001001e429f2313b17cbc53d6d0fc32acf231c0303b29575f4df4ccf7f9d574ee0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3d889c768e5f0a13eabac09552a300e

SHA1
abb66fbbe6bd7c3c98ee80e820c90689ca1e5cf4

SHA256
55ca06c78d1fb25e2b8f84b028d193d00580dc286c8954efd7775020ab8ac424

SHA512
6375381d59c74fd71a19e267ed0f5f8658e57c680af254dabe9c86a04955e4b1366293178ef17ddc2d22093eca74e05ef0d19d2fbc381c09dbc3d1c3688542e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691f3033925a50724f17ea79f7d68615

SHA1
84b710e3213c7f9b4ff5fc1315196cc8dbd01fa5

SHA256
2d1bb4e38e9767ff4f98ce51a3119a6b62711562d418bf9bff5f64a59f21c253

SHA512
0468a4773d95f20aae2eb96abfc115583f74b297ac8d2b7d424561d01c248d11d8ed7d3d894fdcd17274178ff5a9c7007ec8ca2891185a8a96be87782fdf56b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4cde6c630b44e6a4db332d99b35c83e

SHA1
7d2ab39fcaaa6975c321d92bbc19beb9e0fa6f59

SHA256
b961e5541de1fcf7efce57fd230fa7052389cb4267e3be73e96fab5c2ece7df7

SHA512
7cdb8428124eea68e717563244db16091805f1d17f6d9befd8dd4edf37923406c279f4b62b3748e4c97d8c884f8902785d3b6df888eb8fecc6575f51f67aa5bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d2c3b08f9a325622e53e73438442fb

SHA1
188185976eb548efa46a05be57a123cb4989cbb4

SHA256
57c25de6e3ea91721046655bb639d1918d53b34f16c4ec5bb52ba7ed54247ec3

SHA512
a43742ae07bf02ad730261a454e9d1c0a554206cd8f8a32012fbf864c471ea9e63fea7b0a9d285853a2d56ac382d670674cef441e9be42588b3a245ae58d542a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
148a2e5b52779aca350761024ba0f8f4

SHA1
cc709c8e5e4fd3b1ed95f717123d7a1b923a743f

SHA256
1d3549c344ebd2a9ca0be629a9f6b6737464f17fac74f90d7ca90313a735eeb1

SHA512
5c6c6f712d449d761dc905eb8748a2139b535db8e54a512bbeb4769af1813a249068821407c48be1314611c1e3ed090a6fb77585f3f066c00278c861098d493c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
701f80177d77a5e5f93c029919ac030b

SHA1
41d1819666cd21d286495465286d0ea67409c167

SHA256
884791c9c16b6482e4de53e1cc300f1087101886113ca862776edbc06db47453

SHA512
abbf0610ff5626d33788e3195029209389f68b12d42f73749c9d03e8de938dc37aca2fd67b0b62d4109fa97a28b2464208abb318c39f0b042a11340cb351fd77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74ddc1dfd9f361c9a1a489882e0d70f9

SHA1
06f8e14253d4ecd901087b330fe6a9a68567ee40

SHA256
8e07c0b2080c22cdbc1041f97ff4c03a29a15bbdff2815ebd9465d2ca6d9ce75

SHA512
502003331fce94e33f3a2743f872555a682d2b7e52cbc6a2115fe4a041d74399a935714738ffc59464ea4f0b0ba946d183b804a43f4ea3cc34614041bb70e208

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
319b0196ce856ba18cb8ab1551b1888a

SHA1
9b60bab062869e25f51c9df4403deb66f642ee8d

SHA256
f458b6585b5eaa9114388bebad42bff2378a0c3b3891ae2dbffe0f2c05ffa714

SHA512
0ed86d956de26785b00edcc790b8cda28dc6320703d7b0867553cb28a357bf169eda0d641e0a03ba92f701dd42d373ace301afff7b5305004482983c21e75476

Download Submit
C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

Filesize
195B

MD5
24e3dc8e37629835e64791bb802e03e0

SHA1
046f5245c5204a595e4573c706d55cfe7cb4731b

SHA256
1ef4fe5ee3ea7189963153135b265ea4b4ba2cbb0c192cfd6bdaf35c14779c47

SHA512
1b3d270fdf9e8a3d11c5680c7fc80aa879d1d4c799d20c9d4bddba569efe33dcb09f7a75ed2479327cfe21564ac412450c7138677e55f5f5de1cf78174c5296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE6D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
195B

MD5
2c61026c170b14baff48ac021550ce43

SHA1
cbc9856427a9d3fa39ecb6e93d115bb51f528d1b

SHA256
759344a83f3ee6ba84d6d85550e9d4b07673200303aad16eddd39828ed2e7cc4

SHA512
654a531b791703d83309c69c2f83d2bec414b19587437bac1757bd47bc548d0149fc40add4ec7c0fad81d60dd610079335dfd859d1d50c8f46b186cb1e60f95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
195B

MD5
fe1519a301bbda2912882b7844ed1e09

SHA1
64289fd0982513f54cc145f5d2b4ca45861be254

SHA256
ac1355c94bfba53803508b0849b6f7e229a71e40b52d84951dd5cfe6e99f1a25

SHA512
b3152e770d3536969bb4c1f07f6fca32c7ecc1abc0ba179337601081d0b473f0b149b4e10fa42380ad8bfc9a714754750e74fb32f86e69bba965a21972b1d922

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
195B

MD5
dca5f9521d94b80ac3060b561039d32b

SHA1
bb4f6d9b315226347616b9f1b65ad7c4cafffc59

SHA256
e89399faa8d901e0588187a91858fd444d4ae7d2f38d2b87b0e6568ae42abab3

SHA512
da7f4bc167640301d03e8adef4ac335c00f8a0a96b4727fe85a9d2ea3e1de2169a37de82b9c4c856c2724e6c8aff39f50dbfadc4f89662cee7dfc6f1dbe737c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
195B

MD5
9ee2392f20b2a9cb9662936c6ea86689

SHA1
c9fd04dece7ce3fc3f52ea65d1c221960e539bc4

SHA256
457af0f86044c8d30ba71ca5182e07fe3c907fe4b212aedaa67793832e3ac64c

SHA512
ca3b85bbf5247cd2f7de95e987cb8523547ea6a66d33f47368438362412a471d11e845f0deca1e90c5bcf3d2353a3b10a9da15ef8ad530eebaaf552b8e80a14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
195B

MD5
59e617b5196acfe43d3fbee5433c0401

SHA1
1d19f64b9072de924e83542a9b1c7080c9cc4f38

SHA256
546cb4ddc8a9be8243ce8876dfb4847370a2a35cefe19750a628ef286d4d8ce6

SHA512
a133cdc9fa11a3537eb31fae95406b9bf42c1a7777134ea88edc0f97c964ac825862f3940f2dfd76c9acccf61f591f24e1c1ba3ee065a0fc90daa9a0c7098538

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE6FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
195B

MD5
d8ee16301360cc8d2a887e0b7576e5ea

SHA1
fa85f52744c242060ffd18085841273537e14e18

SHA256
41542f3a389b2ef6d54416ead06b949c248739f1180cca4f58e7a9097b59c29b

SHA512
0b881b6af18f70bee66d43e7f356754a293d1d4d1b69c9d98c66b86c1da84acc291e14acb22bcd6eb5fa37e52c14dfd29bdc84157501b1e661eab06738cef257

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
195B

MD5
f601fb0887babefb582a1aec47e110f3

SHA1
66d9b25f3cb6d3708bac27d17743bc754c886fc1

SHA256
c4abfc6032b40e52b2c77fe35feb6292da5e3958755d784a339c88ac742bcddc

SHA512
f3db6f7270eb94adec956b66b4b2558b3817f1a43215a8dcf5af5b5680769dca039524318970cf38b3e828b89706c4b7c2066a5ef15944b47f84be8e28d9223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
195B

MD5
e1cbf8ff7cf9000e7799dd1fc7a10392

SHA1
a881650b59b79037607d397386122b7b9d08474a

SHA256
c5dc7612baf74b05802709654a9d185122ad89555a447bb9559338a824866676

SHA512
385c0b0fc7c9a2f1f3fdd352be91dcfc4211b68e6bb96aabe0936464f49f2d6b90b5bffc3f3970d257fe37a69ccf5cbb212b825bb89c16fab0861a838d60f68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
195B

MD5
ab1ab9f5bd8992a5a78edaab35089996

SHA1
852ae51bd590264e207e7c701328bf4e2908933b

SHA256
c294ba9538a6d098877f332ebd8044e9db04a2c28441da9f039932fcb4241054

SHA512
6b3e1da7736d4f471c988c5d50a1a68a8b7f346f66ebfb839ef84164f6b77d75a94a58859558685c1a3cc836929c21e962f0bd951c770df4321016d2b8e865e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
195B

MD5
2a16fae5ec0078124ade942843cfea86

SHA1
3f74f561fd4dc7334ac809c9bf94b9ce6d3797dc

SHA256
faa59150058e51081b435f95888907af2ee199be671a6da1bc6f53285d3d3424

SHA512
97d8da488dd7475e6064abc5d802ec9731db8ff01c4f92c2f7ed3927b5f3c3e7e8bd2b4609b8ba567c3f8f669869320ac7f3d8d5a080b8b1900548009dd4e8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
41ca4aacd8617ccfdbd15b7a4af9b83e

SHA1
c60a338ce19c516829b86e86b654e6e1173a26a5

SHA256
3b1a61ca7d737e79e6d8d5b0aa988e8d6d9fc4a6bf2a4c8bd0c1bab3e8e677d9

SHA512
f2310821532216ac008be272f04471cd60b13176c242bd0259f79a8ae9c6595e775d271b74ab00fed3b78b893e507d8a60e864c9688162ca60cb18cf5af3959f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/404-58-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/936-551-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/1188-251-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1188-491-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1536-311-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/1536-312-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1620-191-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/1804-431-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2004-672-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2028-611-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2028-612-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2220-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2220-17-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2220-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2220-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2220-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/2580-732-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2580-733-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2656-131-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-57-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2912-45-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download