dcrat | 5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe
Size

1.3MB
MD5

c8c0aac64c5210b6cd8587f54cbe7a5c
SHA1

ffaf18363a6e0a23c9666df9f9439e5e8aa44496
SHA256

5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9
SHA512

db3b486ddd347a5bd55310e191c99a22d844d8888333650964396457e944c9d04e41241f89b66e6c377f18e684fbce1ba02e4d23ccde5e54343494d1280bb824
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2704	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2704	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016aa9-9.dat	dcrat
behavioral1/memory/2652-13-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1380-57-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/1816-132-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2640-252-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/836-313-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2492-433-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1496-493-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2220-554-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/2644-614-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2932	powershell.exe
2928	powershell.exe
1076	powershell.exe
1344	powershell.exe
348	powershell.exe
2740	powershell.exe
2724	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2652	DllCommonsvc.exe
1380	winlogon.exe
1816	winlogon.exe
1088	winlogon.exe
2640	winlogon.exe
836	winlogon.exe
2756	winlogon.exe
2492	winlogon.exe
1496	winlogon.exe
2220	winlogon.exe
2644	winlogon.exe
2168	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	cmd.exe
2036	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe
2176	schtasks.exe
1756	schtasks.exe
2020	schtasks.exe
1252	schtasks.exe
2860	schtasks.exe
2904	schtasks.exe
2712	schtasks.exe
2744	schtasks.exe
1904	schtasks.exe
1552	schtasks.exe
1260	schtasks.exe
2588	schtasks.exe
2540	schtasks.exe
1644	schtasks.exe
1764	schtasks.exe
2604	schtasks.exe
832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2652	DllCommonsvc.exe
2652	DllCommonsvc.exe
2652	DllCommonsvc.exe
2652	DllCommonsvc.exe
2652	DllCommonsvc.exe
2652	DllCommonsvc.exe
2652	DllCommonsvc.exe
2740	powershell.exe
1344	powershell.exe
1076	powershell.exe
2932	powershell.exe
2724	powershell.exe
2928	powershell.exe
348	powershell.exe
1380	winlogon.exe
1816	winlogon.exe
1088	winlogon.exe
2640	winlogon.exe
836	winlogon.exe
2756	winlogon.exe
2492	winlogon.exe
1496	winlogon.exe
2220	winlogon.exe
2644	winlogon.exe
2168	winlogon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	DllCommonsvc.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1380	winlogon.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1816	winlogon.exe
Token: SeDebugPrivilege	1088	winlogon.exe
Token: SeDebugPrivilege	2640	winlogon.exe
Token: SeDebugPrivilege	836	winlogon.exe
Token: SeDebugPrivilege	2756	winlogon.exe
Token: SeDebugPrivilege	2492	winlogon.exe
Token: SeDebugPrivilege	1496	winlogon.exe
Token: SeDebugPrivilege	2220	winlogon.exe
Token: SeDebugPrivilege	2644	winlogon.exe
Token: SeDebugPrivilege	2168	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2488	2464	JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe	31
PID 2464 wrote to memory of 2488	2464	JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe	31
PID 2464 wrote to memory of 2488	2464	JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe	31
PID 2464 wrote to memory of 2488	2464	JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe	31
PID 2488 wrote to memory of 2036	2488	WScript.exe	32
PID 2488 wrote to memory of 2036	2488	WScript.exe	32
PID 2488 wrote to memory of 2036	2488	WScript.exe	32
PID 2488 wrote to memory of 2036	2488	WScript.exe	32
PID 2036 wrote to memory of 2652	2036	cmd.exe	34
PID 2036 wrote to memory of 2652	2036	cmd.exe	34
PID 2036 wrote to memory of 2652	2036	cmd.exe	34
PID 2036 wrote to memory of 2652	2036	cmd.exe	34
PID 2652 wrote to memory of 348	2652	DllCommonsvc.exe	54
PID 2652 wrote to memory of 348	2652	DllCommonsvc.exe	54
PID 2652 wrote to memory of 348	2652	DllCommonsvc.exe	54
PID 2652 wrote to memory of 1344	2652	DllCommonsvc.exe	55
PID 2652 wrote to memory of 1344	2652	DllCommonsvc.exe	55
PID 2652 wrote to memory of 1344	2652	DllCommonsvc.exe	55
PID 2652 wrote to memory of 1076	2652	DllCommonsvc.exe	56
PID 2652 wrote to memory of 1076	2652	DllCommonsvc.exe	56
PID 2652 wrote to memory of 1076	2652	DllCommonsvc.exe	56
PID 2652 wrote to memory of 2928	2652	DllCommonsvc.exe	57
PID 2652 wrote to memory of 2928	2652	DllCommonsvc.exe	57
PID 2652 wrote to memory of 2928	2652	DllCommonsvc.exe	57
PID 2652 wrote to memory of 2740	2652	DllCommonsvc.exe	59
PID 2652 wrote to memory of 2740	2652	DllCommonsvc.exe	59
PID 2652 wrote to memory of 2740	2652	DllCommonsvc.exe	59
PID 2652 wrote to memory of 2932	2652	DllCommonsvc.exe	60
PID 2652 wrote to memory of 2932	2652	DllCommonsvc.exe	60
PID 2652 wrote to memory of 2932	2652	DllCommonsvc.exe	60
PID 2652 wrote to memory of 2724	2652	DllCommonsvc.exe	63
PID 2652 wrote to memory of 2724	2652	DllCommonsvc.exe	63
PID 2652 wrote to memory of 2724	2652	DllCommonsvc.exe	63
PID 2652 wrote to memory of 1380	2652	DllCommonsvc.exe	68
PID 2652 wrote to memory of 1380	2652	DllCommonsvc.exe	68
PID 2652 wrote to memory of 1380	2652	DllCommonsvc.exe	68
PID 1380 wrote to memory of 2544	1380	winlogon.exe	69
PID 1380 wrote to memory of 2544	1380	winlogon.exe	69
PID 1380 wrote to memory of 2544	1380	winlogon.exe	69
PID 2544 wrote to memory of 2276	2544	cmd.exe	71
PID 2544 wrote to memory of 2276	2544	cmd.exe	71
PID 2544 wrote to memory of 2276	2544	cmd.exe	71
PID 2544 wrote to memory of 1816	2544	cmd.exe	72
PID 2544 wrote to memory of 1816	2544	cmd.exe	72
PID 2544 wrote to memory of 1816	2544	cmd.exe	72
PID 1816 wrote to memory of 2876	1816	winlogon.exe	73
PID 1816 wrote to memory of 2876	1816	winlogon.exe	73
PID 1816 wrote to memory of 2876	1816	winlogon.exe	73
PID 2876 wrote to memory of 2316	2876	cmd.exe	75
PID 2876 wrote to memory of 2316	2876	cmd.exe	75
PID 2876 wrote to memory of 2316	2876	cmd.exe	75
PID 2876 wrote to memory of 1088	2876	cmd.exe	76
PID 2876 wrote to memory of 1088	2876	cmd.exe	76
PID 2876 wrote to memory of 1088	2876	cmd.exe	76
PID 1088 wrote to memory of 2424	1088	winlogon.exe	77
PID 1088 wrote to memory of 2424	1088	winlogon.exe	77
PID 1088 wrote to memory of 2424	1088	winlogon.exe	77
PID 2424 wrote to memory of 2492	2424	cmd.exe	79
PID 2424 wrote to memory of 2492	2424	cmd.exe	79
PID 2424 wrote to memory of 2492	2424	cmd.exe	79
PID 2424 wrote to memory of 2640	2424	cmd.exe	80
PID 2424 wrote to memory of 2640	2424	cmd.exe	80
PID 2424 wrote to memory of 2640	2424	cmd.exe	80
PID 2640 wrote to memory of 2552	2640	winlogon.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d7a3b03321fbc5a6d8311894e0a954b28574eeb73dc642fdd9f799609283ee9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2276
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2316
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2492
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        12⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2828
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
        14⤵
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2020
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        16⤵
        
        PID:528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1580
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        18⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:880
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        20⤵
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2432
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        22⤵
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2036
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        24⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2468
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2653fc916218af789babae0ec64c4f78

SHA1
34e06a8679429721eea108a0487046656c222f76

SHA256
415cc42fe3a7843606a609fbb40831d3f88f56336aa15bdf1cde8ba90af08974

SHA512
c35f03a39fe3752402c528ac9016939a9d7b0ca5e4eb56743334a602318067eaa49b0a199911aac90b3bc1bb3d36662ded4a1f33d1bf3251e275add1474a73ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b08cd307130e0ce2ea1aee11b46040a

SHA1
29cf70527b148772cc855afa01f5a543060a3983

SHA256
a695d092da03fe183d280d6128b8a5b8616e699bb1eec3215bae794fd5b28a34

SHA512
4f3e321bc12e1f508f00d887319b39a14b3116ee73a7a224e6c467b732088112a7165aa0bafb4bdd68ec6bf5ca8f639f004ba860813f7d962ee963d2c96eda3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9664bcbcde5f2d15d58212e5d43e1b5d

SHA1
2fe41456c073bdbb8a0aa379d30f3ca319333e15

SHA256
9dded197961f0f7b883c6fae9de5db4b669964cadd586ab081653fd37b9a472a

SHA512
003f9cd5400fa9c020eaf656f221f189388b74aa131c5d8c716da1d8a0d5348bd8ba464ae5f692d3ccee2f613c2497f1cb63e93103ffff02eaca8a24c3f85e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0173788b273aa08759dc1bacaa06062

SHA1
e5b66f48a2e7c55e1ee8d7e43a89b12f3c83494a

SHA256
bf02d1dfd8a5761f712a20154a68787706a98d67ccc8929feef0b5460cf4d5d5

SHA512
678fa79183f75058cbd8db6c02df330e4dc23531c721bf94b52986ae417742af089196a25c0e054189f862533926230aef80c3f6960729c0f707723bb1744c11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81e0572b942947fa14e4b7a2588d1419

SHA1
ce1541b11155ff5b6155429c1f23c2733e91c3ac

SHA256
a8f6eb66b3b33d7697ba8586c76d9ee9eb2381c2c6eb12a6585bc6583c0b70d2

SHA512
0ede3c93cbc4a809dd86d358ff296ad6574ccc40df9ee29d9852dc0c6de3434931c561b92e653c44710bd72ba002920495ae849f47fbd59af93947702d72f3fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fce340e81e24559182e2acc9e2f45e9d

SHA1
9197290b477504a8f485b90086dfad79014ca538

SHA256
87ce308c768d5083b7bf332396ff1e1c77bb276e36825138a0952c89d55a244e

SHA512
666809951bf040580d06f88a6c7be8e1e027155658eba9ff426b25a5491ab72471615f6eee32ea58463b8aadd48f116edae39f789f324df7d9bbf6a3b41f1cde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5390b12d0812a37af78d6b7f7f0eb9c0

SHA1
365ea26e00b0d971e82409c46b48389c647e6d8a

SHA256
06dc9b7db27d82337905af241e833b07c5472132f8b57052b112993f7395a4a4

SHA512
0a3d716f56eee0953eef0da7e32ddc0812c534a1937e6f07fd49866f91ac1b21b99a88265779fec449ed66239c8145880fecb8c7dc86b989cace17ec363c11da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1162940c098d2e90c913b9bbbfa6c106

SHA1
4c2dfce2482e46c5fa0a5b33571eae8e57af59f0

SHA256
aceca94e1d2314f792523b25e7864976ca3c658ef42248108eeb78f05a28e59d

SHA512
2484152c48f17412ae238df47f0a2dac62bbf6bb632bbfc843bdb53171b0ba0e73b792f7546ec10a00bb649f760736a4bff6da7e3f6c5eab757d1ec966d3e041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa1614db8193ff5b393339185c769cd0

SHA1
2dffb6712ae52ed46a3f020d2b0ed3722b7c2857

SHA256
d9551ff2aecb2cd10022a90f82028f8b9bf7740b2fbd3ccb2084faaff3632c6e

SHA512
f76cab6fd2f91faa466f915d1b243542bafc517b14b3ba49b4d126e62babe861c5384c5a92f188ec2c1caec2a82f6e71176b5b96869c0858f807c9c2ce5f544b

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
226B

MD5
311e307543fb2ac9bd3cfa7a964ad7a0

SHA1
bd76bf60d17bb6b832b79460c1e2fa0f2dd59661

SHA256
32180a71e930b1b55f7ea44ddae2d4911c958aa92571d833990778af368fab8e

SHA512
7109a8274eb34dd1c5c4e0132e90edb10e21935775328054fc1fb651fa4a473f2d28d4b21bd5ff96ccec78dbc18b15e6434217fd1b808aba4b8423620b2fccd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
226B

MD5
8e9ba35d88ee24d2e4c7d4370386bb64

SHA1
8b4356d580930e1e7a6dc5d482b25b5d5ed4771f

SHA256
58acdcb6c773d30cff6afc744351f68846b6900cb026cccb93a0dd2f4bf39a85

SHA512
61b6388af44159ad688dcabbd8447ec69eebe26862998abd8df143cc8b8e39af7361d79a019fdca4921869410ae27762c0d77898de65c01fca75c208dffa6216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1853.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
226B

MD5
ea429a607ca5716d9d245dda15adb798

SHA1
47a4442dbfbfe545c072335f8a48b38af217b3b1

SHA256
b42d111d3d5d3ce17a36fc4f06833293cc88967fb7ccd585e49a032239b04390

SHA512
46afd86e08541f5739ff15c2ca7593c4318a3d5421de738f066fd6c2e8abb16d52e6af652890a85c9e02754aad7dad31c8923cc912e91c52ad3688b10019cdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat

Filesize
226B

MD5
f515a640cf7e2d0fc58c56622fcae1b0

SHA1
769f5397d54b706c188efaae81af9b266e388dab

SHA256
66fba7ca344496b6b479ed568446052661352726a3694357514879f582e2da54

SHA512
90ea69c149929b6192ddd9fa49c6c6db5d730f4653cb612f4bd30a77879f85af2c6ff42bde3c47fc35f67acb33e8b275005d1cadcc9fc03e655aca5142f792dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

Filesize
226B

MD5
b78af4453704a076f1621068b672fb82

SHA1
1699bd3636e6eb46b5a14ad693021609713a7081

SHA256
5f5a189b13ee6eea4f96938f8f09d160e2f993234d26fd5d3fbf190ee7ea3273

SHA512
16ec97514eb1fdb691436cdbebe206acec241cd06a2ad61afd2dd67f19281f582d3197d0954530f29bdccf9bce9e6616abc8ea79fce89eca3ca76a949b7a4d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1866.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
226B

MD5
9716996d017fcdf6d289b7d8d0b843dc

SHA1
8f1a72ce98b7bfecf531ec6f30ad05ae8a6274c3

SHA256
f8c8dbaa838adc1d3007094f0a3f88a49ca6bed202ec02a1f236da6f0015bcb9

SHA512
5eff98494932e0d5056389dd9f8ba242e0cac467e575a8c3726574ce2e3a62d6f1b260eeb56ff80517e4e31166a340fdac5647e595adb0e21ff312f0a759d0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

Filesize
226B

MD5
2217daacb43adb93249890e86d92e4f4

SHA1
f56ea99b9578d0565222eff252dd2471eea81e54

SHA256
b9d3c56c4c7d62653ba14ac4d664647057bf61e8eed935cdb20fb449bb17c8be

SHA512
a23bdcca9266508f7c1da96f278b58210e2a348fb6be14e767f1986d7659337f7a24a5728d1b83f1b1da722e4318678f8cb799d51f04ed5d3c2e742dc749470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
226B

MD5
05a400fe977d22e26871e0ba7329f383

SHA1
ae8f31186bb4248f5532e4d1546096bc54f10866

SHA256
182e6597b133b6c564d739a202e3a60b1446b9234ff5644de652e8bfa346bb00

SHA512
c369046415498cdea4bb51e40a03443e2db71e563302c3cb786cfad934a53638cd9c294b7df296466963f944dc8e88aa8ca04fedfc339286a7eeb7a97949c64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
226B

MD5
8f9f974e7e52aee5816bc411ee9b1d2e

SHA1
b35c5a3ef22cc05aa0f4c7c714e7988995cd51d5

SHA256
86366ab59e6b0723bd3bdfa2a472e7f209b8e53e79e13710ace8d792a38c3389

SHA512
a4d50f477e4cb6402f3c6612e5ba2408d3e69eb204856f7f7e4fd4a2cdca2f267559e29aaaa631a0e6abb3b843b52a55969cff12facdddf6f62448f246a3b104

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
226B

MD5
5756565bc94720fd120ea64d0bf9cf42

SHA1
9fb68dfa9a91de2b4ad7023867de4f777e7cf64b

SHA256
a4ff2ce77b94e58647e904063a62daf73ddf97dc645d1a2e1c622d5ba03a1b93

SHA512
75e37c57de74a69facce61d5851edb2e7ee61ddb317aa03439df1435a17547f82c0689be10cece7e98eecb9a43c65e07b3188449421a31ee217221bbc0f26da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dee65ca2d4581208e0b7e412d81c3b02

SHA1
438379864fd3c98ae19ac0cff72631b570921466

SHA256
25799035d1d17983a2bfe6aec3d83b3b24c6ab929bc380c0a76ec36fd68dbe1a

SHA512
2325291ac4edb451e245fe4a72797ec3eef68fcdd322972bcd26316e18abf88fecd4725a2c95a37fa2cf90356f2d33ad2140b99b822111c65f429d3b33365469

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/836-313-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1076-50-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1380-57-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/1380-73-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1496-494-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1496-493-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1816-133-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1816-132-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2220-554-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/2492-433-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2640-253-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2640-252-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2644-614-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2652-17-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2652-16-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2652-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2652-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2652-13-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2740-54-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2756-373-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download