dcrat | 3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9

Analysis

max time kernel
143s
max time network
138s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe
Size

1.3MB
MD5

35f1c6b7bc414cc956891d03384be3cc
SHA1

3f00f8967db4f82ac373f7eae40d0dd439f7c6a0
SHA256

3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9
SHA512

d4f383585aba718c3926d16981643b011a82a4c5b302812a146ccaa04a3ffa5d870a21e9cfc3adc34498dcff2b5b3ae44d5025a7fef8e92b6f0b9360728d846e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2864	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018634-11.dat	dcrat
behavioral1/memory/2144-13-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/700-70-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2616-129-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2640-307-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/2672-427-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/1768-487-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2180-547-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/1076-607-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1984	powershell.exe
1264	powershell.exe
1328	powershell.exe
1700	powershell.exe
1472	powershell.exe
1388	powershell.exe
1076	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2144	DllCommonsvc.exe
700	services.exe
2616	services.exe
1816	services.exe
3016	services.exe
2640	services.exe
1720	services.exe
2672	services.exe
1768	services.exe
2180	services.exe
1076	services.exe
2300	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\inf\.NET CLR Networking\0000\services.exe	DllCommonsvc.exe
File created	C:\Windows\inf\.NET CLR Networking\0000\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe
2996	schtasks.exe
2908	schtasks.exe
1672	schtasks.exe
2888	schtasks.exe
2952	schtasks.exe
2776	schtasks.exe
660	schtasks.exe
884	schtasks.exe
2772	schtasks.exe
1692	schtasks.exe
1820	schtasks.exe
2400	schtasks.exe
2812	schtasks.exe
2652	schtasks.exe
2352	schtasks.exe
2068	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2144	DllCommonsvc.exe
1700	powershell.exe
1076	powershell.exe
1984	powershell.exe
1472	powershell.exe
1388	powershell.exe
1264	powershell.exe
1328	powershell.exe
700	services.exe
2616	services.exe
1816	services.exe
3016	services.exe
2640	services.exe
1720	services.exe
2672	services.exe
1768	services.exe
2180	services.exe
1076	services.exe
2300	services.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	DllCommonsvc.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	700	services.exe
Token: SeDebugPrivilege	2616	services.exe
Token: SeDebugPrivilege	1816	services.exe
Token: SeDebugPrivilege	3016	services.exe
Token: SeDebugPrivilege	2640	services.exe
Token: SeDebugPrivilege	1720	services.exe
Token: SeDebugPrivilege	2672	services.exe
Token: SeDebugPrivilege	1768	services.exe
Token: SeDebugPrivilege	2180	services.exe
Token: SeDebugPrivilege	1076	services.exe
Token: SeDebugPrivilege	2300	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2148	1732	JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe	30
PID 1732 wrote to memory of 2148	1732	JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe	30
PID 1732 wrote to memory of 2148	1732	JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe	30
PID 1732 wrote to memory of 2148	1732	JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe	30
PID 2148 wrote to memory of 2788	2148	WScript.exe	31
PID 2148 wrote to memory of 2788	2148	WScript.exe	31
PID 2148 wrote to memory of 2788	2148	WScript.exe	31
PID 2148 wrote to memory of 2788	2148	WScript.exe	31
PID 2788 wrote to memory of 2144	2788	cmd.exe	33
PID 2788 wrote to memory of 2144	2788	cmd.exe	33
PID 2788 wrote to memory of 2144	2788	cmd.exe	33
PID 2788 wrote to memory of 2144	2788	cmd.exe	33
PID 2144 wrote to memory of 1984	2144	DllCommonsvc.exe	53
PID 2144 wrote to memory of 1984	2144	DllCommonsvc.exe	53
PID 2144 wrote to memory of 1984	2144	DllCommonsvc.exe	53
PID 2144 wrote to memory of 1264	2144	DllCommonsvc.exe	54
PID 2144 wrote to memory of 1264	2144	DllCommonsvc.exe	54
PID 2144 wrote to memory of 1264	2144	DllCommonsvc.exe	54
PID 2144 wrote to memory of 1328	2144	DllCommonsvc.exe	55
PID 2144 wrote to memory of 1328	2144	DllCommonsvc.exe	55
PID 2144 wrote to memory of 1328	2144	DllCommonsvc.exe	55
PID 2144 wrote to memory of 1700	2144	DllCommonsvc.exe	56
PID 2144 wrote to memory of 1700	2144	DllCommonsvc.exe	56
PID 2144 wrote to memory of 1700	2144	DllCommonsvc.exe	56
PID 2144 wrote to memory of 1472	2144	DllCommonsvc.exe	57
PID 2144 wrote to memory of 1472	2144	DllCommonsvc.exe	57
PID 2144 wrote to memory of 1472	2144	DllCommonsvc.exe	57
PID 2144 wrote to memory of 1388	2144	DllCommonsvc.exe	58
PID 2144 wrote to memory of 1388	2144	DllCommonsvc.exe	58
PID 2144 wrote to memory of 1388	2144	DllCommonsvc.exe	58
PID 2144 wrote to memory of 1076	2144	DllCommonsvc.exe	59
PID 2144 wrote to memory of 1076	2144	DllCommonsvc.exe	59
PID 2144 wrote to memory of 1076	2144	DllCommonsvc.exe	59
PID 2144 wrote to memory of 2532	2144	DllCommonsvc.exe	67
PID 2144 wrote to memory of 2532	2144	DllCommonsvc.exe	67
PID 2144 wrote to memory of 2532	2144	DllCommonsvc.exe	67
PID 2532 wrote to memory of 2196	2532	cmd.exe	69
PID 2532 wrote to memory of 2196	2532	cmd.exe	69
PID 2532 wrote to memory of 2196	2532	cmd.exe	69
PID 2532 wrote to memory of 700	2532	cmd.exe	71
PID 2532 wrote to memory of 700	2532	cmd.exe	71
PID 2532 wrote to memory of 700	2532	cmd.exe	71
PID 700 wrote to memory of 2068	700	services.exe	72
PID 700 wrote to memory of 2068	700	services.exe	72
PID 700 wrote to memory of 2068	700	services.exe	72
PID 2068 wrote to memory of 1200	2068	cmd.exe	74
PID 2068 wrote to memory of 1200	2068	cmd.exe	74
PID 2068 wrote to memory of 1200	2068	cmd.exe	74
PID 2068 wrote to memory of 2616	2068	cmd.exe	75
PID 2068 wrote to memory of 2616	2068	cmd.exe	75
PID 2068 wrote to memory of 2616	2068	cmd.exe	75
PID 2616 wrote to memory of 1864	2616	services.exe	76
PID 2616 wrote to memory of 1864	2616	services.exe	76
PID 2616 wrote to memory of 1864	2616	services.exe	76
PID 1864 wrote to memory of 1360	1864	cmd.exe	78
PID 1864 wrote to memory of 1360	1864	cmd.exe	78
PID 1864 wrote to memory of 1360	1864	cmd.exe	78
PID 1864 wrote to memory of 1816	1864	cmd.exe	79
PID 1864 wrote to memory of 1816	1864	cmd.exe	79
PID 1864 wrote to memory of 1816	1864	cmd.exe	79
PID 1816 wrote to memory of 2116	1816	services.exe	80
PID 1816 wrote to memory of 2116	1816	services.exe	80
PID 1816 wrote to memory of 2116	1816	services.exe	80
PID 2116 wrote to memory of 1264	2116	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb05cb15a8319407cfce7b4c84984f2dcd1cbd38374aa16d4809004d22480a9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\.NET CLR Networking\0000\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnGd7mrZOn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2196
      - C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1200
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1360
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1264
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        13⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2604
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        15⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2872
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        17⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2236
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        19⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2620
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
        21⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2728
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        23⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2060
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        25⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2520
        
        C:\Windows\inf\.NET CLR Networking\0000\services.exe
        
        "C:\Windows\inf\.NET CLR Networking\0000\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\.NET CLR Networking\0000\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking\0000\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\.NET CLR Networking\0000\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68d7a8b7ef83d0f3f18843453eee4ada

SHA1
8866de2d4d8006f86ad59256d5fccaa15e37733c

SHA256
20e5e720c96017e59305aee236750341be6ce17f4169399287e3dc71d69e89b6

SHA512
b4e7b9172d3bd53cdbd85be37911accddeb0b3e1f74efc9c9860f43fed4bf1cb9626dd1d49757de7529b7d9dca95cacd14fa87c08a969bcefe509efc10e781e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a47c38e8b8649bf00298c0208a6b0a0c

SHA1
f4fc9a9a93fb6016f2f1299623e6385a168cc098

SHA256
262b1c63f22fc29002c959df7b9755c8de8b3dea9502ad1a467dc0727e76a341

SHA512
a23979732d48c9f74b55f5450d1089cd0b08c9c196ab90b53f182f33ea2df64eedd3c88eaf0de965a132450a7b9a23b29ad2a860f33b517af5297c821bb53756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
942373e009904148918c9e5ba658de21

SHA1
f0ed8ab73f92869476549d1c8df22848addbe445

SHA256
924594de74363a1b689be46b928a1897fba95bc5358c8cb39cea7058880360b3

SHA512
31e59094262bfaff291da805154c6648200168ed8c5b1961cac3f1c2d8a0738e7d07f6ba983dc5159048d04c23afc77d0420652bb51d17374e28ba46395e678a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e937bf66e19b640c84feb3bc719c123

SHA1
d969707b337cfc6cee0b231a1c10b97ef26515cc

SHA256
f35510b3d96c537c4d45eb1313da727aacf92697ff6d56101e039605c09c94a3

SHA512
db1fc6f2f3e0ba13ad072e997fb2ef6e3c1db87c281a42133c61a424ef767e33d9715da3ed7c3e0b018a9272af1ac0f42778a24b0be93cf8aeb0e4f93b90923e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfdc99e358c802e58b280ae716a3a09e

SHA1
c53ada828067ba6ac9a3b140836ecb23888c91dc

SHA256
922d9c66c5dc5113e112c990c682b5d330ad2710d88142ab09515801b360c0a9

SHA512
885b67b62a28880bbb8ee538f85bfb282233dde770d1b2779768a827e8c7210bb91d23640bd623f35cc514d1f1a4734e111e4de2bc536d4dc65ae47d97f306b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6071578a2448e0c868ae9efe6f3e24af

SHA1
13d0d02eea6ef4e9feea73247111f59f2a2beef3

SHA256
c89b21464c63a3581c300a3de710da062913519571606822b55c937af134f7f9

SHA512
b031eb781f054bfc06d44cc3c6dc20982b88d8a1fc3c1464a5856ff1ac06343538ba4c6f7d98a067a7a8b1123e22f3e3feda5e980233f4652731efba97c7ad34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56b4498bc82838660863fc56fd8f5c36

SHA1
3e80572b9c7fec4a127e268a166d67ca5fadc901

SHA256
0eb97eff8b53d834b8ac9d111b76ed12ba863762ad4cc9c1c5e357bd46032bca

SHA512
c150aa32ac3e3b648899c47e5864bbbf5cefde46d100c6a15556981af18dcb2e780c285d43d85c4d4d8f60876c83c01ff690f472852d531791fdb15ca9b571b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0d5e8ce8909d7f7db3dfee0983ade1f

SHA1
e9e487dfa6377807e04a9d1f811c92a51698994b

SHA256
0fa8b4da192d0755d1fae65146eb74317c85909381ef2bd4c7584590aafe406c

SHA512
2dd63f90caa365beed60d84e7252a49b61087914aa1dc2edab316dc4d64b10537fde610ec16fabc98cdeb435c8a62398ac92fce2cba7b2b400bad3eb21e742b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ccc4f692f23fdfa324d6a0982d47e99

SHA1
f1e49c932700ed86da72b300280bfb344de8b55f

SHA256
2b37068daf4a9adaa287c6ea823297a1d04445edb16ec68ede1582292e42a470

SHA512
078c661b9aa1e647bee9de22221f7906467fd2d3159271c1b2cf301c55970e272b1526d89f324f83ee3398cc389fd810c06c97d25c50076e2618032f0f026baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

Filesize
217B

MD5
35681d4dfbeca2c20cf1d839fa025a8a

SHA1
7bbac49ef1e1ac985c18696c0e40c70e81c4c6c2

SHA256
fcce12061abdcfcb9e920764cd4cf92a48fb26e260dfd519c072f739166234d9

SHA512
15e18e8e38eaea9eccc9e233cf3064c9e4cc9d60c897898469f10d281994e58d2abf4984bc0e551294c57ebf8b3233c6aa2cdad9e89bed95fe7aec60e1c56e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

Filesize
217B

MD5
f468d263ef7968ee892f5a5907c9e673

SHA1
1fedaa0d5d964e0cfb2a4cb7f5bb2603c1d3bb27

SHA256
2c83bc01f483d3668ef65ed8d99f376df6490c18f9d01a33016ab55b6e1c2d54

SHA512
96d8ac065534828b0702b574b348bb07dea93100b231ef5b33d4c1226cfabcda5fdee4a9ed5f7516cab5e1e37f03896272a4cc1ebe83cbc982cee38d45bfb1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF2F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnGd7mrZOn.bat

Filesize
217B

MD5
e52c75aef1735e4411ca846d9a4f3daa

SHA1
21422edbf9d101c2a0718a22e090e44c1edf89b9

SHA256
96155cfa2d345eb7162b1228e56552a96f2fca681df0012f7cc5edce778521fe

SHA512
e761815de0aa77ed3e53b14c719068f001436b8faac3f3d319b8e4d9bd20fec394f9f84d31ce2e1e0a75b26a469771b17635500ee653b8cb7de1b3c032046e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF42.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
217B

MD5
066f472f2204f9bb7539b6fa7b82ee2d

SHA1
f398cc82c4059a029735068affe003011f2a7ae3

SHA256
5a7b0dc8af61745398739120c1c3d11f37889110e6c65f0e4975e09c5070fb40

SHA512
9f9aa4c1d18715c4be6efc8a82ecd5ba77a01938a6271626277d3c2c73d598a7f21be44cd61ca4541ac89da1db061c7e07f5ec40677b58efb71db31e61771d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
217B

MD5
f3dcebe10c5b82f68e117ae78797b74c

SHA1
d2f6f6ef79d88baa938967e4a9d3f4aee31ca36c

SHA256
d50397ed0e124083374ef8ad292b35c2ae650d808492a8fceeae6b5000f9b06b

SHA512
87e97a3e4482f6f85dcea2b379092baea36d0b1d6b54317cc4abce9f56a1f148811f29dda99ce7c399d93ca84d4dc9eeff07ad86e9dd586510014758aaa7ee2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
217B

MD5
0be2a2259d328252b4590de2245ba9c6

SHA1
88500ce367bf0ad78c0aca664e8e937687e2ba12

SHA256
6c595388897f7957204079dd13556663c4291122d5280044982ff6f7a2740c46

SHA512
6d6c77d3546a7b67757e9607c074ca26971474873b63385c1293cf274e644db82e4aa3c9721ff959eed68a62eac5782cddb610b19fe94827568933530a35733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
217B

MD5
4db5abb2ea2cf3ffd5ef38a2678acd07

SHA1
ad1bfb8c4b693b7d0bd0863cb1e1f2198260788e

SHA256
f73db40d033883e40b288f356fdc30a90289d3a77566f44ce86f9f27485cfae2

SHA512
69e1d1227c750c54d40cfa579cb9de9d13c0a49ec947e8fce73ce6379105c1dedc8c303011593a51579d45fc5008288808d3dfc15096aecc694dd1abf6c08a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
217B

MD5
8e45c44c667bff21f61d2d2ad1f8444a

SHA1
bae7c2bfd56bf625fbecea1b80e0b5d693c93ca6

SHA256
c31f750900401261f30ca31638416aeb8fdfe4bbcec77dfc370be4dbb533567b

SHA512
a8e92b3204a5d9fe2c6bd32581d95429d6328691995da319ef99331b2c34eaf47607272e991ff01461fe699f3eb001fa1bf5dbed605651479f9b571919e57f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
217B

MD5
f8879e4616dd01858bf093d063e3bc45

SHA1
008a4b4ac1fd6cc1bebccfb38a3b0117f4de032b

SHA256
407cfa2882a50bb63225022fe9986a52d91b8c60a7746a71883837b24cfe8862

SHA512
02f33ebd0b75de034bca7e185653ea464eb7f595d3b72c5d84da9a84bc05d9adef767709c3011bb5b7cbae493e474fd6eca3f953c907b9e870230cee5b9c9117

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
217B

MD5
3b1e0574bb30f6acfc385cce21e8869b

SHA1
aaae7d825fa4b4493d5e14abc7be2ae19e709387

SHA256
14aaf135f4787569a4afc3b102d019376f02291fe7a0579a25fa51062018543d

SHA512
e0efbfb89805c1bdf8d4fccdfb511757c55b0cd4fd67dbb6f78a5d7191c93b80dbbca866e7343825f1dabc99886bdee98e2d2500712b0077c2013a672d49b8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
217B

MD5
db11b1a4e03d32c377a3c6a3665f0d45

SHA1
6223fe838b629bafb24ed1e5b3b6be99d279ff07

SHA256
897b494e5c6ba09d26b02346af365e37b26903e0f03a9b8ab06c3d580d48aa2e

SHA512
d786a9270429daa9606219ad1ec1fee746ceca28b257726f73852376bddd19d8d5fe7a997751690e8702797e9f2369bb42fffe9df4cf2c33e1852f503f754a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2fcef469ba663eefc0f50c7e873fc9f2

SHA1
8f0d8cbf75b7bd0f2865fd77fa32bbb1c306f9e2

SHA256
6df0179d57c12ce504183d6353718ca80cc6d5cd17cb24cf2e816c347a677542

SHA512
1387ae1c3692ec2e0b096b1fafd15330f511af390a1d92d1806c93d1aca5e47243f35f83dbb3f50c82dddf4e48eba665e5b404aed850b186b635c3812a26ebf1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/700-70-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/1076-607-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1700-51-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1700-50-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1768-487-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2144-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2144-13-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2144-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2144-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2180-547-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2616-129-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2640-308-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2640-307-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2672-427-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download