dcrat | 72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe
Size

1.3MB
MD5

dbf920144007e48da5141f53ab270de6
SHA1

3a860f79036f2a4d9023aaf02b322d5f5069acd1
SHA256

72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24
SHA512

d386d010da44e3ff91e0967f267262e131ae195872c0a9533404bbd9459ee6a717ed7e8953efeaaa9541f65dd6b7ed68c54936dc632cdf80288b53ab92de5738
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2752	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2752	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b8-9.dat	dcrat
behavioral1/memory/2096-13-0x0000000000810000-0x0000000000920000-memory.dmp	dcrat
behavioral1/memory/524-61-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1836-146-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2956-206-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2460-326-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2728-386-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/112-447-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/2704-508-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
2144	powershell.exe
2060	powershell.exe
908	powershell.exe
2300	powershell.exe
2520	powershell.exe
1076	powershell.exe
1844	powershell.exe
1540	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2096	DllCommonsvc.exe
524	conhost.exe
1836	conhost.exe
2956	conhost.exe
2420	conhost.exe
2460	conhost.exe
2728	conhost.exe
112	conhost.exe
2704	conhost.exe
2372	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	cmd.exe
3016	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Documents\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Documents\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2112	schtasks.exe
1624	schtasks.exe
2848	schtasks.exe
2260	schtasks.exe
2188	schtasks.exe
2844	schtasks.exe
2704	schtasks.exe
2868	schtasks.exe
896	schtasks.exe
2788	schtasks.exe
2220	schtasks.exe
2500	schtasks.exe
2604	schtasks.exe
2180	schtasks.exe
2076	schtasks.exe
316	schtasks.exe
2192	schtasks.exe
2516	schtasks.exe
1176	schtasks.exe
1108	schtasks.exe
2608	schtasks.exe
388	schtasks.exe
1684	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2096	DllCommonsvc.exe
2300	powershell.exe
2272	powershell.exe
2060	powershell.exe
908	powershell.exe
2144	powershell.exe
1844	powershell.exe
1076	powershell.exe
524	conhost.exe
2520	powershell.exe
1540	powershell.exe
1836	conhost.exe
2956	conhost.exe
2420	conhost.exe
2460	conhost.exe
2728	conhost.exe
112	conhost.exe
2704	conhost.exe
2372	conhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	DllCommonsvc.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	524	conhost.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1836	conhost.exe
Token: SeDebugPrivilege	2956	conhost.exe
Token: SeDebugPrivilege	2420	conhost.exe
Token: SeDebugPrivilege	2460	conhost.exe
Token: SeDebugPrivilege	2728	conhost.exe
Token: SeDebugPrivilege	112	conhost.exe
Token: SeDebugPrivilege	2704	conhost.exe
Token: SeDebugPrivilege	2372	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe	30
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe	30
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe	30
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe	30
PID 2876 wrote to memory of 3016	2876	WScript.exe	31
PID 2876 wrote to memory of 3016	2876	WScript.exe	31
PID 2876 wrote to memory of 3016	2876	WScript.exe	31
PID 2876 wrote to memory of 3016	2876	WScript.exe	31
PID 3016 wrote to memory of 2096	3016	cmd.exe	33
PID 3016 wrote to memory of 2096	3016	cmd.exe	33
PID 3016 wrote to memory of 2096	3016	cmd.exe	33
PID 3016 wrote to memory of 2096	3016	cmd.exe	33
PID 2096 wrote to memory of 2300	2096	DllCommonsvc.exe	59
PID 2096 wrote to memory of 2300	2096	DllCommonsvc.exe	59
PID 2096 wrote to memory of 2300	2096	DllCommonsvc.exe	59
PID 2096 wrote to memory of 2272	2096	DllCommonsvc.exe	60
PID 2096 wrote to memory of 2272	2096	DllCommonsvc.exe	60
PID 2096 wrote to memory of 2272	2096	DllCommonsvc.exe	60
PID 2096 wrote to memory of 2144	2096	DllCommonsvc.exe	61
PID 2096 wrote to memory of 2144	2096	DllCommonsvc.exe	61
PID 2096 wrote to memory of 2144	2096	DllCommonsvc.exe	61
PID 2096 wrote to memory of 2520	2096	DllCommonsvc.exe	62
PID 2096 wrote to memory of 2520	2096	DllCommonsvc.exe	62
PID 2096 wrote to memory of 2520	2096	DllCommonsvc.exe	62
PID 2096 wrote to memory of 2060	2096	DllCommonsvc.exe	63
PID 2096 wrote to memory of 2060	2096	DllCommonsvc.exe	63
PID 2096 wrote to memory of 2060	2096	DllCommonsvc.exe	63
PID 2096 wrote to memory of 908	2096	DllCommonsvc.exe	64
PID 2096 wrote to memory of 908	2096	DllCommonsvc.exe	64
PID 2096 wrote to memory of 908	2096	DllCommonsvc.exe	64
PID 2096 wrote to memory of 1076	2096	DllCommonsvc.exe	65
PID 2096 wrote to memory of 1076	2096	DllCommonsvc.exe	65
PID 2096 wrote to memory of 1076	2096	DllCommonsvc.exe	65
PID 2096 wrote to memory of 1540	2096	DllCommonsvc.exe	66
PID 2096 wrote to memory of 1540	2096	DllCommonsvc.exe	66
PID 2096 wrote to memory of 1540	2096	DllCommonsvc.exe	66
PID 2096 wrote to memory of 1844	2096	DllCommonsvc.exe	67
PID 2096 wrote to memory of 1844	2096	DllCommonsvc.exe	67
PID 2096 wrote to memory of 1844	2096	DllCommonsvc.exe	67
PID 2096 wrote to memory of 524	2096	DllCommonsvc.exe	77
PID 2096 wrote to memory of 524	2096	DllCommonsvc.exe	77
PID 2096 wrote to memory of 524	2096	DllCommonsvc.exe	77
PID 524 wrote to memory of 2428	524	conhost.exe	78
PID 524 wrote to memory of 2428	524	conhost.exe	78
PID 524 wrote to memory of 2428	524	conhost.exe	78
PID 2428 wrote to memory of 3064	2428	cmd.exe	80
PID 2428 wrote to memory of 3064	2428	cmd.exe	80
PID 2428 wrote to memory of 3064	2428	cmd.exe	80
PID 2428 wrote to memory of 1836	2428	cmd.exe	81
PID 2428 wrote to memory of 1836	2428	cmd.exe	81
PID 2428 wrote to memory of 1836	2428	cmd.exe	81
PID 1836 wrote to memory of 1668	1836	conhost.exe	82
PID 1836 wrote to memory of 1668	1836	conhost.exe	82
PID 1836 wrote to memory of 1668	1836	conhost.exe	82
PID 1668 wrote to memory of 1772	1668	cmd.exe	84
PID 1668 wrote to memory of 1772	1668	cmd.exe	84
PID 1668 wrote to memory of 1772	1668	cmd.exe	84
PID 1668 wrote to memory of 2956	1668	cmd.exe	85
PID 1668 wrote to memory of 2956	1668	cmd.exe	85
PID 1668 wrote to memory of 2956	1668	cmd.exe	85
PID 2956 wrote to memory of 1592	2956	conhost.exe	86
PID 2956 wrote to memory of 1592	2956	conhost.exe	86
PID 2956 wrote to memory of 1592	2956	conhost.exe	86
PID 1592 wrote to memory of 1932	1592	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72e47d638f9c345e1cb70c44a835fd3bfcb222e24a932efa7413f9640a8b0c24.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Documents\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3064
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1772
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1932
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        12⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2012
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
        14⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2240
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        16⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1072
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        18⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2284
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        20⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2192
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
        22⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\Basebrd\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
543a7c6ef0e9d1b4c47daefae60a1465

SHA1
2affa1e2efa32f09b04e0fb673d50058597f343e

SHA256
8d0ac5298b61e05b3020ed6f36f565caad2dd66bb8b07eded24a113ef17c2db6

SHA512
c4808c7dfd5d4ccafa32aedc2055c5a12543bcb7f7252f858f9898a6dcd4eb1e8a5f37cf717e0e9474b4e6826a82287097590144a50cd9e86bff277c59a4a728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d29acf44c2dbe59262df6b20e84bb65b

SHA1
2879aa24ec61387ea53a7d25117e319157dbf70a

SHA256
3c65f89283a514e499b8f5d0b7d9694661707b1e360995f460063932065734bb

SHA512
0b199c467e8351900901ed4188494a9f759a1ba27b719d543f403080725854a695b034ab73b8b3e55e24aa5f17cadab74184284980d7489ce8ace1ffeb15e82a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
078c00e54e7c625d764d472b050ba388

SHA1
789832fd0553a707f66da7d837a09a568bd3fa41

SHA256
5e9b5b5d49079181425d7bf0e47511415a4600e9336a44a96435a27e430dc263

SHA512
16f599819e1c713301ca1a6fb1d11494d58676209a5cc293edc934e45b43a2096a46cdcaba1b5f234bee353884d84135b0f0cb7f0e343d45f51fd90294a3c2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c2a3ebe61b75b1d6ce3264e6d351beb

SHA1
1c128d53af80b74e12278cc7b9a3fc58e5bf0723

SHA256
51cda484d2d73391c949c20e8be4be7ba1db8db4e0713bfc89bab4cdb44c1427

SHA512
06110244d9db051e2a8945bfca5ae067a1b27b9d8e81e01fbfd8df4ab1732001dcbb2a79969b15b9b2ac9d399a069739728db722881f6e38474f4673000e43f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3cfa073789de303369291cfa3623b15

SHA1
f287da938b93c7d7b387af5c75be431b45b96cb2

SHA256
e33f44e3be051e550ef14f63b6fe831c7c30f2e944fbec32800ce83769bd05ca

SHA512
f565495d50ee9f6f23ce9c38d4b1e8521b8b33e64c99a953c8ddc77c4eabd268f595fa6209b33b372a9310ee4b0d693ad768b6751c8f4fe2af6dfd970f570079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7faa8bcb60f27d5299ecd38cdf7020c

SHA1
b64af4cc3967a03dd1d79fc18a91dd82651d7538

SHA256
9c02ab25226819c18a2240c033bc416b28aab126c5cb3bb89ab4114d236f9c84

SHA512
fb87de03eeb4940c608a374097bcc4eb5e011652fdf13c71c255b4139e9662f041d32a8d07e639293a69f8c50993e06e1481947a09e243eec287858e0b08a715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9972fd6dd3de48a68d7a5ae9b1a699d

SHA1
091fe6c33354d546ccaefc5ebcb848305cd10ada

SHA256
69b9165f861b9a17325035444ccda3ee597305715cf67f17f0cc072c744ee0f2

SHA512
aa185b956eece6364b49070796d1c162c0feaf47368e6f6007c3b0b756f81dec82a2e0db5054f63ba1bd27179eb068fe128de83ff1d79118e7876ac1a2485486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b8e025314767b75e044706573eb549e

SHA1
e969a11221abf23512300f17f76d5f37b12d7dd7

SHA256
5672536c5c1125211a2c1a096aad49ebb50f6cebb986ae1f56c21531cd0c820f

SHA512
516529694f1c807c22751fe7c0cf648f49e1e59655fac33f1da950d28feffb1feae0e268de483f7e215b9e834641093715d870d0f7149e495aa71f32d5c1e502

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
198B

MD5
4c690d958948627f0f939428a746a171

SHA1
a7f6b2810aa198a8026031ba5c490a2e79ef7511

SHA256
9732f720cfc7e90f2d6a77f7a1b198c97ec7d33d5ebb8d157a3f7a88c0f325da

SHA512
94f7f085374b599b87a5ef12512a89845a7ab6c5cacdfe35cdf4170605a6161e4edb0992d9106cbd60b8c2a11c9d04d612268a2ca321921cd56095aff11b3f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab210A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
198B

MD5
08e67fd4ee908ec74a9c28046cefbca8

SHA1
fe3db038a61695e1a9fe5cfcad7627f8ec6e7626

SHA256
296aa0cbf5e3df5438741b3d84830d07351a67b28cc9116d209cdc1461792a68

SHA512
873bd322a75993afad8d65d5c39530cfe1a2d42a8c3d4f213dd73a17ac77175a09a1ed27483f97aa717c8a0962b3ac85885b6d287e4b4f6c39e48be06c3d0693

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
198B

MD5
f3c617888e7304e7cfa1dfb41fe3e93c

SHA1
d6401cf088a389acf7d7ce26a9f6c7bb403bb1ef

SHA256
e990abf5021ce6d407230eb927ca934bfd8899ced5c4dc7e856cf5712d761054

SHA512
7628716d19afdf04939ce61857ff678abb0bd7b273f7c8233f521eba37287d18fc440ba0171e1f00cea4f7fc5f8682c2fa4e45915d9cd0f847d4dee21c0e5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat

Filesize
198B

MD5
f5efa961fef89a9beab34e386a67fd39

SHA1
a3eee1d00acc763934b88983affa746dd0e3c39d

SHA256
d1bef2979b9e950faa6e1db528830bc7ed025a56ef95e5c9e966927b529e77bc

SHA512
828184c93f431f8c97f241751222a92d4e26107f15cdd49815c6ae25d6013144301fef27e54e5c505d45a7d643bb752bb3a204caabfb5e93bf0742dce860cce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar215B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
198B

MD5
bdff3a79481da1b9b2314b562fbbc14b

SHA1
3b4d4512cc509eee24be84548de56d16330569b3

SHA256
59240eea0cdd8a4f40fe335d940ed145195b76665261b52aa26304c92d62d95b

SHA512
113a4c20af458688e8fe0f2fb5daeb6879b9aefaaea5d5f8124896031868dc15f109db25f5987a5c12b9efe3e04c0e33cdb6ce26e649e68c9f1275dd76f79357

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
198B

MD5
1445560db2f93f153bae84b52be8cc0c

SHA1
f1ef61daffe5231fffdab8e7bf0d8cfa06c789f9

SHA256
8e81ac017b859f908cecd8d9fae6434e751759153f8a52e3c839d6699d0772c5

SHA512
03417eea5edbe6d5df46f59b8da8f10e4625b4917b7198df75642dabc34ff1a7c1355bb0ce33b484338a93b8510a3e3f2d04dd251d941b1d26bc6fa6cf6ea948

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
198B

MD5
a3e6cc166175301f1bfd54a7f8eb4b0d

SHA1
daa55f29e290b4e158cdf8c8968857a8d58b51f6

SHA256
0838d5078cef063e2f15e28b6fa8f2e8ba17863a3144c16a1ad2492c01262044

SHA512
8a1727cf4d867b0b80ecb843626a3bf4926a0b85075c85d5da802aaddfd2a5a6a5fb22b648c40be1ec4e23354f5b0ec64813bdf04e8e9a8b56b5adba1f78d5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
198B

MD5
05c72f056f14768fddc6faa278abc88b

SHA1
801e27b08a9a3eefaef3dab8e7244540f2ede7ec

SHA256
0dadcfbadc42a4a4ae2f16729d0f3b0c388651ab69648d74c85ddc3e900710c2

SHA512
9cd17a43eb70549ee2d9c8b97b62e37e47629e5ddc177a1a02d4a82b87be7ada2a74d924daed77976a1b77ef3a263f10a055d5f88b3c3d27d0c1cdce09f53c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

Filesize
198B

MD5
fbb63062152d8790302fd807c0858241

SHA1
0bd419282c1f75e167bc6a3279ea967b65100ad8

SHA256
4694f0ff6d4e6dcf9f43b9ccd156d35361b344119e5d9ecf7f3dfe22b9742843

SHA512
f23dde48706e2d1b7615d787ad1c4e2c24ece81d75a652f9cd880fbd359c9fd3563cb1986f12a19e23dcd843ca0d9fddd184738f9812436f2bf7524699939011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f03f559a6847ee1e896ca58bdec2b7a

SHA1
1b95aa2ce4ebcbde6499f9343115f6f2bc9accf2

SHA256
aa7ed951a1ebf9f90cb13146258371462b8f6bf9a89074a93cd8b08ff1da713a

SHA512
9d5a50695ed07b30af198ff8f1031659ba76f413d70c2656fe28cc093037a940bf2cb5ed229b245bce6bf6e4a31567f9b34e2630e37d869de5147771990dcbd4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/112-448-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/112-447-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/524-61-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1836-146-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2096-16-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2096-17-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2096-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2096-13-0x0000000000810000-0x0000000000920000-memory.dmp

Filesize
1.1MB

Download
memory/2096-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2272-63-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2300-62-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2300-49-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2372-568-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2420-266-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2460-326-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2704-508-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/2728-387-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2728-386-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2956-206-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download