dcrat | 37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe
Size

1.3MB
MD5

d0b9f38d2fa9d388b91b39103c3f854b
SHA1

15fa870debc89910bfa318f5c58ad80f64efbe7d
SHA256

37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75
SHA512

87a1d12f352f2126b7a80bbd75ee0149b2296968b6c812df419b2024730a9f1fdbdce763590decb06cae08483d1f68ffe1704112710ca81f5e40e07b33dda1c0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3016	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d5a-10.dat	dcrat
behavioral1/memory/2244-13-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/1916-34-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2904-125-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/2824-363-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1028-423-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2656-542-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2052-602-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/2316-663-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1944	powershell.exe
676	powershell.exe
2836	powershell.exe
2832	powershell.exe
1616	powershell.exe
1980	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2244	DllCommonsvc.exe
1916	cmd.exe
2904	cmd.exe
2712	cmd.exe
676	cmd.exe
1104	cmd.exe
2824	cmd.exe
1028	cmd.exe
1476	cmd.exe
2656	cmd.exe
2052	cmd.exe
2316	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	cmd.exe
2448	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
41	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\es-ES\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2248	schtasks.exe
2872	schtasks.exe
2708	schtasks.exe
2844	schtasks.exe
2624	schtasks.exe
2868	schtasks.exe
2976	schtasks.exe
2572	schtasks.exe
2948	schtasks.exe
2656	schtasks.exe
984	schtasks.exe
2636	schtasks.exe
2780	schtasks.exe
2172	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2244	DllCommonsvc.exe
2836	powershell.exe
1616	powershell.exe
676	powershell.exe
2832	powershell.exe
1944	powershell.exe
1980	powershell.exe
1916	cmd.exe
2904	cmd.exe
2712	cmd.exe
676	cmd.exe
1104	cmd.exe
2824	cmd.exe
1028	cmd.exe
1476	cmd.exe
2656	cmd.exe
2052	cmd.exe
2316	cmd.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	1916	cmd.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2904	cmd.exe
Token: SeDebugPrivilege	2712	cmd.exe
Token: SeDebugPrivilege	676	cmd.exe
Token: SeDebugPrivilege	1104	cmd.exe
Token: SeDebugPrivilege	2824	cmd.exe
Token: SeDebugPrivilege	1028	cmd.exe
Token: SeDebugPrivilege	1476	cmd.exe
Token: SeDebugPrivilege	2656	cmd.exe
Token: SeDebugPrivilege	2052	cmd.exe
Token: SeDebugPrivilege	2316	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2532	2192	JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe	30
PID 2192 wrote to memory of 2532	2192	JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe	30
PID 2192 wrote to memory of 2532	2192	JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe	30
PID 2192 wrote to memory of 2532	2192	JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe	30
PID 2532 wrote to memory of 2448	2532	WScript.exe	31
PID 2532 wrote to memory of 2448	2532	WScript.exe	31
PID 2532 wrote to memory of 2448	2532	WScript.exe	31
PID 2532 wrote to memory of 2448	2532	WScript.exe	31
PID 2448 wrote to memory of 2244	2448	cmd.exe	33
PID 2448 wrote to memory of 2244	2448	cmd.exe	33
PID 2448 wrote to memory of 2244	2448	cmd.exe	33
PID 2448 wrote to memory of 2244	2448	cmd.exe	33
PID 2244 wrote to memory of 2836	2244	DllCommonsvc.exe	50
PID 2244 wrote to memory of 2836	2244	DllCommonsvc.exe	50
PID 2244 wrote to memory of 2836	2244	DllCommonsvc.exe	50
PID 2244 wrote to memory of 2832	2244	DllCommonsvc.exe	51
PID 2244 wrote to memory of 2832	2244	DllCommonsvc.exe	51
PID 2244 wrote to memory of 2832	2244	DllCommonsvc.exe	51
PID 2244 wrote to memory of 676	2244	DllCommonsvc.exe	52
PID 2244 wrote to memory of 676	2244	DllCommonsvc.exe	52
PID 2244 wrote to memory of 676	2244	DllCommonsvc.exe	52
PID 2244 wrote to memory of 1944	2244	DllCommonsvc.exe	53
PID 2244 wrote to memory of 1944	2244	DllCommonsvc.exe	53
PID 2244 wrote to memory of 1944	2244	DllCommonsvc.exe	53
PID 2244 wrote to memory of 1980	2244	DllCommonsvc.exe	55
PID 2244 wrote to memory of 1980	2244	DllCommonsvc.exe	55
PID 2244 wrote to memory of 1980	2244	DllCommonsvc.exe	55
PID 2244 wrote to memory of 1616	2244	DllCommonsvc.exe	56
PID 2244 wrote to memory of 1616	2244	DllCommonsvc.exe	56
PID 2244 wrote to memory of 1616	2244	DllCommonsvc.exe	56
PID 2244 wrote to memory of 1916	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 1916	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 1916	2244	DllCommonsvc.exe	62
PID 1916 wrote to memory of 2216	1916	cmd.exe	63
PID 1916 wrote to memory of 2216	1916	cmd.exe	63
PID 1916 wrote to memory of 2216	1916	cmd.exe	63
PID 2216 wrote to memory of 2224	2216	cmd.exe	65
PID 2216 wrote to memory of 2224	2216	cmd.exe	65
PID 2216 wrote to memory of 2224	2216	cmd.exe	65
PID 2216 wrote to memory of 2904	2216	cmd.exe	67
PID 2216 wrote to memory of 2904	2216	cmd.exe	67
PID 2216 wrote to memory of 2904	2216	cmd.exe	67
PID 2904 wrote to memory of 2368	2904	cmd.exe	68
PID 2904 wrote to memory of 2368	2904	cmd.exe	68
PID 2904 wrote to memory of 2368	2904	cmd.exe	68
PID 2368 wrote to memory of 2976	2368	cmd.exe	70
PID 2368 wrote to memory of 2976	2368	cmd.exe	70
PID 2368 wrote to memory of 2976	2368	cmd.exe	70
PID 2368 wrote to memory of 2712	2368	cmd.exe	71
PID 2368 wrote to memory of 2712	2368	cmd.exe	71
PID 2368 wrote to memory of 2712	2368	cmd.exe	71
PID 2712 wrote to memory of 1984	2712	cmd.exe	72
PID 2712 wrote to memory of 1984	2712	cmd.exe	72
PID 2712 wrote to memory of 1984	2712	cmd.exe	72
PID 1984 wrote to memory of 844	1984	cmd.exe	74
PID 1984 wrote to memory of 844	1984	cmd.exe	74
PID 1984 wrote to memory of 844	1984	cmd.exe	74
PID 1984 wrote to memory of 676	1984	cmd.exe	75
PID 1984 wrote to memory of 676	1984	cmd.exe	75
PID 1984 wrote to memory of 676	1984	cmd.exe	75
PID 676 wrote to memory of 1696	676	cmd.exe	76
PID 676 wrote to memory of 1696	676	cmd.exe	76
PID 676 wrote to memory of 1696	676	cmd.exe	76
PID 1696 wrote to memory of 1724	1696	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37329b71f207c908642e5f53b7cc1ba0df01c847d7b606bc59a2d83aa7c97f75.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2224
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2976
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:844
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1724
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        14⤵
        
        PID:1152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1876
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
        16⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1376
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        18⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2092
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        20⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1640
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        22⤵
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2024
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        24⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2692
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
        26⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e6b9853eb6042767a80b910ea2e9b89

SHA1
b17252e44c10482532fdffbb03e67df6a17d1de9

SHA256
bea58f4f79e57a9353fe3dce82c65b1be12d0baa19cdc6681326bc3ea7505e42

SHA512
974bbd6ef45948cbeeeeb8b5460bf2e330f22038a41d2c80b4a5cf3212f005786d33109ae3a7d66e69a4c0b24400f612f54bd8a48ebb2a72dee22e97da317f02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f33463df58c9711ca63776f6755073e5

SHA1
ddc8261bf264cc3f87f65c4a3aed10f8e98f5195

SHA256
3fced4e17f00c56fbf7d27b4bf840888b3861f085f22a72167cf4cb7f8f007d9

SHA512
4991b185887563ab040aecfd05a0d233fa645feee32ecbbd311dd526df78776f7a653990e541e632884f50b0883133559e181ba48247a8654580c5648cc7de87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85ee9be7cff0e7f73bd9e3cf09eda2d5

SHA1
cfc2f6f8dd7028245cce24f6b17d09c743c7ca2f

SHA256
ee9adb6c2427fcf3e96aedfa39e894c19819b6b8935a5af9d6f566cc02bf0caa

SHA512
44b7893105125b92adfd8f0e62421e8c206f08b6592640c483c24ba5119ee853b0f27d901b2e86ea97885d1c536704cfa1b9393de0f4d554e12b4f454f1664c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80908ba15f1e545c51f222ea75d17f09

SHA1
014e1e2241597d51fe1b681977b6a2d18f77eec9

SHA256
11d4a2ebef0d2560e15234d1cbbbec09fb896a0c02f5be720a2483f68390fc0d

SHA512
fc87af293889854c91d35c6065d4125524043cf3637e3216ac9549b3505b41727608db58168f4e16a3e42bd43e04091c76cd18bbbec2ddc1a660e7f93365be58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef15b17f2b5d4dc55ad92e0f7ea70a69

SHA1
23898955d54d68d3457334e3de601548c5d114a7

SHA256
9c780604f70166878d3074da6488155032f476f259217604c2df8c9a575f999b

SHA512
295dc6c030c020fa81057b648377d74f59c15d39b27f2a23a62d86879bfcb7ed91b1526419e7f30d686b3a422bb1e4e6685172fc19c716286fa0f91d4921aa53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84a4c6dc423f1981a8136227e06b1181

SHA1
ec95b1533ede85ca9ebbfe1c8165e26d1900214f

SHA256
33c1260000688cc3362a98fcd56c4a9ffde6d72a94bb2b8747f40a2b99c8da52

SHA512
08f252745dedeb587361dccd91c3080ca872f46ca04b90b0923f27dd671c83d768138baa4df7c706e6bdfcde843a88bf3a5c210d2955940a62f70e63a25bd06d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb431efce622a09ba108c819d98953e8

SHA1
8650c2e07089584cad6a355fbde0a42cf1a9ebf5

SHA256
efd703bf5ca83fe676c700637c27d65d386e5f6beacc66fe1b4a995d93854573

SHA512
322866b61fb0267cef294c9db42fea8b967a21dbaf150300430d955655ba21c065478eb3be57308ead5e57e898fbeadbfc87f70100c46a4110a22452aa86a277

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51a030d50c2b08f29c4ede5324ba0d51

SHA1
e10c6609e756ad94c1e0636b96d53d83894a36df

SHA256
a22811f8dc33e20d440524281fcf452b767db211f12ae1d758d638eb68288dbe

SHA512
768f71869262ac2ca154aa9abafa67d6a8d79b506160b980cfc9fda2d59c4bf9c5211dbdd9417e02a650ba9f5c71287f47d6615002f8a6ced2e6f7fffe286bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eb0ba27d956e3628a3ce172eef6db14

SHA1
bf55c7cead207cfa31fd8c7d101f4f3cb1181244

SHA256
8f0256b1bbda53d6bf1df3062bb44e27c8d1e94a06ae43a3d62cf6ea13350aa6

SHA512
78bdc48fb88f9ffbfc58d2856549149be33f2aefc6554bea1a7e27d068b6dcbd7d1c073cb19b475dada6383fde57dc6e60ee1989b29dc8cb0dd55781da2a6b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59a15e7947b82a18e95029f2144c4bc9

SHA1
bacc8d3f0dbaa47735d9610b75f4123e56aca605

SHA256
825461c48a5b934c7c161afa0caf285ece1c4fd9672aaf90232dcd184a1a03a2

SHA512
9fa4ac1c130e332bf2f25080993aed150399c9d17f330ac1c06d666045f350bc9f2041cf7ed6b0c3e0232aa07702b3ae5422a008eace708234c9df1495adc3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
221B

MD5
b97cd9f1a067983aa6b73841d8239a08

SHA1
f60a8a57c8081802cd02e65c41f09a6c597518d9

SHA256
774f0baf7fecbb64b479299eae8215b29b349f82d98bd223fdf2e8059c1a1201

SHA512
e1ea9fba7b19a3cbdb3630f9d56da358c2d0fa06449313796bf76199e119a491e54463253ef0a6b4d8a38c7601da168fa551a9d10c620fd6e0ed83b18243976e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
221B

MD5
8a3ed10d3b9e00e54a528d9c719f0a15

SHA1
74fa591ff021e859f4039fc96ac6cebc05cb7eb7

SHA256
12f4da4a70a504f71525a396ee9bc28cc84234f149b277de747c4cefdb916859

SHA512
7ed6a8b44f9128add37f41c44a56e2a066c0f4a241df218f1df0b7e4f0c90950f5679443496dc3c4c4ef67243a7c25682c696057a087916d68bc290f1439cc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC7F3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
221B

MD5
60bcc55341addc60edc1455cf1598b54

SHA1
bcce922fd0a0694ccc98eb566d29af202a04f912

SHA256
878d0a3698e48bae93df46f07381f83c73eec6bb47bd4b85cfb813760a76f0c4

SHA512
634d438bdb98dd3365c7f7799627547b21b55b9c63efdab4f10ffb15e4b968362fa3ba72b55c776ee241d1d805991cb786e839fc382fb261edf231b166dc8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat

Filesize
221B

MD5
cc91cc0fd3430e27a6808fc3eb3d4b1e

SHA1
b72bb0238eeee90238c1cb2738fa26ec3537c98a

SHA256
df3faa181120c74cc773d921a5de2bf3deedf3a9508ce6a2ad4bcb68021debbf

SHA512
5a24cad79744bbbcbb6c94ec8f03479b21eeab58800c1ebb001f1e1ca4226323d7681a06f89afcc274d93af4877c4de8148c0a8f68c36b9e8edfa0ace3c95d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
221B

MD5
7a345abfc6d0298c0380a46754f5f457

SHA1
3d8761f9f22dc6d057601e07f0f659f858f39c88

SHA256
1abe02024c27933075163c8ea7704246a9098d8d590f1365860d1621a3cfabe2

SHA512
b0c30b46fe165bc952953af915d3733c1dccc80a1fde31c78d64289cf43a3e2bd065c8e556919e74fb4eac719485a1b398364e3c2643837d8d9e968c7f1907b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
221B

MD5
4a349784a1f3f08b116e4429a63d0072

SHA1
02d9d9583677e64906b51e44c54c20a270ad7b67

SHA256
66764090f8c028a697a71c83c8777ad9fa38975d8cbc2e4d381b5697e332eb1d

SHA512
2861f51068ddbfd4612aafece2388586405eca1ca5d5b422648e55e1dfdbd49106901dd70fab023dd487052d0d9c37a49d43bda3f7e70b5029be47456961942e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC805.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
221B

MD5
9bf70c2b9b5e1fcbfe02c5df34bf0f41

SHA1
040a3d5a58d7530b3c7aecdaa650437a835d733c

SHA256
979f476b1b397f28dafff6df006c9d1858c93a649b7dd225eee66655d37ae520

SHA512
0cdab30f854a6aa11de9ed208a3b69968a209325a612cda6f743b8464c188a628717a46c5d2632aa4bfb1ead859491fee6ddd9ff705ae5fa0c521ea1fcb4430a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
221B

MD5
48c680d17e9e729cf994932762053da8

SHA1
60c5737b024be9d3d4f99545364f5c067b8e9ab7

SHA256
7b6adc861a9ea4e87be966d66ab11efb5b96d6c0de38ec3c7ecc9fb298214aa7

SHA512
cadc2564b8e614c9923c15338ed288ca374efcece72e083bc73b79cc5c64778bbd6943da9edb304c62fb00563b957c27517e6337baada9b55123eba90dbd0e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

Filesize
221B

MD5
fb6a9db2f925840e2d0c747f67efbd1f

SHA1
d460731b3505873874a9c0c1e48ff437867dd1cd

SHA256
d365167ffbdd58e86944695f9dbca90d2cdc967d39cb8c1b8a29c49212ddd6e8

SHA512
44fe2418b9ebfa4cd6a5f14cdd1b6a881b7f0766a603ba2ea5cfb8e41db3884ac4e216fc5207ec4ae5d93b28126bfb1630fab321dd747c19df42bbe85b80bb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
221B

MD5
95fd604ac2fea6508c1219d071b4cc31

SHA1
47d6ab3fe2bc23853a5bd142df58cc0f1361f315

SHA256
15043bc8b1e67218a232be5d60230f2d766475a5e064c954809674d5406fc3c7

SHA512
c6d418bc83f4c4ee1c42042b5d4845de0e474a6ca82290515fedcc3f645fc799838f36c4054fb9f1e9942d5b093678fb397f391d7d9ce987edb4a45d00bea67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

Filesize
221B

MD5
20351c653ff2fe86d94988dac7f4e716

SHA1
1e0e57ae610be8c8a63d14456b77348d8b2269fe

SHA256
31ec459afe0d27a1bc90bc2ead6a841a44947c2a0c90c6f5791aacd3b386236a

SHA512
616ba72654d8647b487bbe82cf5a47e6c7d8ae65f665d665a8cb5e39e71eaa375a75e9b19555863be3a2eb782c47295f7121cfbd1386e56593a4d8faac02e376

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
25d58943cf11226e805dc14406d7a148

SHA1
1e05cb5361dc48a94832965ed11f3f4c72d30e3d

SHA256
0ee1d367b50a743cd44ced003c85f1b183776b228fca294d8709361012d987f9

SHA512
d31a629fcadcfb16bd61aea766effe5605fc2dfbaf66fe20e876a42ed35aacba2c1f2a2c347bf446f52c20d3c04dbb2442f9df68641cde1bfe9b3ad40a219d25

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1028-423-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1916-65-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1916-34-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1944-64-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2052-603-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2052-602-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2244-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2244-13-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2244-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2244-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2244-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2316-663-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2656-542-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2824-363-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-66-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2904-126-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2904-125-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download