dcrat | 7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab

Analysis

max time kernel
144s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe
Size

1.3MB
MD5

15d560fd21469c86a7c7d315517500c4
SHA1

ad54e129c4cd202b9a534fd4e91ecb9d65d87a4e
SHA256

7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab
SHA512

337b7e241308a3c53a61727ca50d6a112b4bff67530dcf59049a48249db4d622d1d81287024c8b018659e3e09630beb033b1c2cab23f2815b19d71057c364bfc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2932	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-9.dat	dcrat
behavioral1/memory/2956-13-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/3068-87-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/1892-146-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/1612-443-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2620-504-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/1064-624-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe
2236	powershell.exe
1868	powershell.exe
2484	powershell.exe
560	powershell.exe
1352	powershell.exe
2424	powershell.exe
1980	powershell.exe
2124	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2956	DllCommonsvc.exe
3068	lsm.exe
1892	lsm.exe
1432	lsm.exe
2680	lsm.exe
2340	lsm.exe
2808	lsm.exe
1612	lsm.exe
2620	lsm.exe
2416	lsm.exe
1064	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	cmd.exe
2196	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
32	raw.githubusercontent.com
21	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\ja-JP\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1956	schtasks.exe
2776	schtasks.exe
3024	schtasks.exe
2748	schtasks.exe
2720	schtasks.exe
2032	schtasks.exe
2988	schtasks.exe
836	schtasks.exe
2132	schtasks.exe
2732	schtasks.exe
2816	schtasks.exe
2688	schtasks.exe
2568	schtasks.exe
2028	schtasks.exe
692	schtasks.exe
2744	schtasks.exe
2024	schtasks.exe
3008	schtasks.exe
2264	schtasks.exe
1996	schtasks.exe
2364	schtasks.exe
3028	schtasks.exe
2416	schtasks.exe
2704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2956	DllCommonsvc.exe
2236	powershell.exe
1868	powershell.exe
1700	powershell.exe
1352	powershell.exe
2484	powershell.exe
1980	powershell.exe
2124	powershell.exe
560	powershell.exe
2424	powershell.exe
3068	lsm.exe
1892	lsm.exe
1432	lsm.exe
2680	lsm.exe
2340	lsm.exe
2808	lsm.exe
1612	lsm.exe
2620	lsm.exe
2416	lsm.exe
1064	lsm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	DllCommonsvc.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3068	lsm.exe
Token: SeDebugPrivilege	1892	lsm.exe
Token: SeDebugPrivilege	1432	lsm.exe
Token: SeDebugPrivilege	2680	lsm.exe
Token: SeDebugPrivilege	2340	lsm.exe
Token: SeDebugPrivilege	2808	lsm.exe
Token: SeDebugPrivilege	1612	lsm.exe
Token: SeDebugPrivilege	2620	lsm.exe
Token: SeDebugPrivilege	2416	lsm.exe
Token: SeDebugPrivilege	1064	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe	30
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe	30
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe	30
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe	30
PID 1760 wrote to memory of 2196	1760	WScript.exe	31
PID 1760 wrote to memory of 2196	1760	WScript.exe	31
PID 1760 wrote to memory of 2196	1760	WScript.exe	31
PID 1760 wrote to memory of 2196	1760	WScript.exe	31
PID 2196 wrote to memory of 2956	2196	cmd.exe	33
PID 2196 wrote to memory of 2956	2196	cmd.exe	33
PID 2196 wrote to memory of 2956	2196	cmd.exe	33
PID 2196 wrote to memory of 2956	2196	cmd.exe	33
PID 2956 wrote to memory of 2236	2956	DllCommonsvc.exe	60
PID 2956 wrote to memory of 2236	2956	DllCommonsvc.exe	60
PID 2956 wrote to memory of 2236	2956	DllCommonsvc.exe	60
PID 2956 wrote to memory of 1868	2956	DllCommonsvc.exe	61
PID 2956 wrote to memory of 1868	2956	DllCommonsvc.exe	61
PID 2956 wrote to memory of 1868	2956	DllCommonsvc.exe	61
PID 2956 wrote to memory of 2484	2956	DllCommonsvc.exe	62
PID 2956 wrote to memory of 2484	2956	DllCommonsvc.exe	62
PID 2956 wrote to memory of 2484	2956	DllCommonsvc.exe	62
PID 2956 wrote to memory of 2424	2956	DllCommonsvc.exe	64
PID 2956 wrote to memory of 2424	2956	DllCommonsvc.exe	64
PID 2956 wrote to memory of 2424	2956	DllCommonsvc.exe	64
PID 2956 wrote to memory of 560	2956	DllCommonsvc.exe	66
PID 2956 wrote to memory of 560	2956	DllCommonsvc.exe	66
PID 2956 wrote to memory of 560	2956	DllCommonsvc.exe	66
PID 2956 wrote to memory of 1700	2956	DllCommonsvc.exe	68
PID 2956 wrote to memory of 1700	2956	DllCommonsvc.exe	68
PID 2956 wrote to memory of 1700	2956	DllCommonsvc.exe	68
PID 2956 wrote to memory of 1980	2956	DllCommonsvc.exe	72
PID 2956 wrote to memory of 1980	2956	DllCommonsvc.exe	72
PID 2956 wrote to memory of 1980	2956	DllCommonsvc.exe	72
PID 2956 wrote to memory of 2124	2956	DllCommonsvc.exe	73
PID 2956 wrote to memory of 2124	2956	DllCommonsvc.exe	73
PID 2956 wrote to memory of 2124	2956	DllCommonsvc.exe	73
PID 2956 wrote to memory of 1352	2956	DllCommonsvc.exe	74
PID 2956 wrote to memory of 1352	2956	DllCommonsvc.exe	74
PID 2956 wrote to memory of 1352	2956	DllCommonsvc.exe	74
PID 2956 wrote to memory of 1620	2956	DllCommonsvc.exe	78
PID 2956 wrote to memory of 1620	2956	DllCommonsvc.exe	78
PID 2956 wrote to memory of 1620	2956	DllCommonsvc.exe	78
PID 1620 wrote to memory of 2600	1620	cmd.exe	80
PID 1620 wrote to memory of 2600	1620	cmd.exe	80
PID 1620 wrote to memory of 2600	1620	cmd.exe	80
PID 1620 wrote to memory of 3068	1620	cmd.exe	81
PID 1620 wrote to memory of 3068	1620	cmd.exe	81
PID 1620 wrote to memory of 3068	1620	cmd.exe	81
PID 3068 wrote to memory of 1728	3068	lsm.exe	82
PID 3068 wrote to memory of 1728	3068	lsm.exe	82
PID 3068 wrote to memory of 1728	3068	lsm.exe	82
PID 1728 wrote to memory of 2164	1728	cmd.exe	84
PID 1728 wrote to memory of 2164	1728	cmd.exe	84
PID 1728 wrote to memory of 2164	1728	cmd.exe	84
PID 1728 wrote to memory of 1892	1728	cmd.exe	85
PID 1728 wrote to memory of 1892	1728	cmd.exe	85
PID 1728 wrote to memory of 1892	1728	cmd.exe	85
PID 1892 wrote to memory of 2388	1892	lsm.exe	86
PID 1892 wrote to memory of 2388	1892	lsm.exe	86
PID 1892 wrote to memory of 2388	1892	lsm.exe	86
PID 2388 wrote to memory of 1380	2388	cmd.exe	88
PID 2388 wrote to memory of 1380	2388	cmd.exe	88
PID 2388 wrote to memory of 1380	2388	cmd.exe	88
PID 2388 wrote to memory of 1432	2388	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f08bedbdadc3d94eabe3eb361277a8eae30fb81bb129ff8fb13f755dea77dab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4uMuQd8OBK.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2600
      - C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2164
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1380
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        11⤵
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2084
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        13⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1144
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        15⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1220
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        17⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2308
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        19⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1496
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        21⤵
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2056
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        23⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2088
        
        C:\Users\All Users\Favorites\lsm.exe
        
        "C:\Users\All Users\Favorites\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13ea0c856267af9a04faaf92a05f3587

SHA1
fb25ec9e4c6268370994f5d2da149edf98c48821

SHA256
33e60a7cdf3208720af7bbcd279a8462a1fddb98e573ead85dc8b565e6510d87

SHA512
f2cf1858b4f4af43c58ba37855384edbee1a21e088f932454ad04ceea607814df8fc0c3db83c99f82777b47fe13e93464c4edaae4062655b6a8a21b0f745bedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2297d7431a3c91ba92a1d3143718ccd

SHA1
0941fbadc74a29e3065ece3fd1567515b7330dd3

SHA256
1a0ca2bba576ecbb08b9b90197318f39e512bba6ffd8b9b1cf674cfd8a4c34f5

SHA512
4adea4527104d40e251fe5d90d17ccc42ff1d2162f30b9a09bb2d6b113821a0ce67ef8ed055caf4fb22d1aa0cba9f57fde0dbf21ae34c8be4a78e997d81653ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b0eb9444470c8ae263816654b44a111

SHA1
51bda6e84efbef1c62047bc6e585f5c4e7896a9b

SHA256
45c73af89c67ba7b9c52bae2998b4042c0462784c7358ee9822ea0d233a31820

SHA512
3d0d2749c40fd895bfa0243ef5ebcfa0e6a692d0028099ec27e619792d18358a53ffb6b01160ef682e034211e03bd0f1db542d4bef8c4db3a726b9673baf47c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
140ad6570f0473c4e8d4002232c218d3

SHA1
2fcfe3163a95d10c9916499f503ca34d3942a402

SHA256
e1f8d0574db6df228820de3aeee6e0bc15f5e098f124d58148cd9f5d8ad7d93a

SHA512
a01317b2072f5e01be974ad024a80a3581f7f94d0c02974a7162c20c6b4acac5f5389683c18c7f4cc829fb6678492b89f15bfc43e44c7a0f00c9ca74202340c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61aeb90516c5285bc451d9ca1ded4fb7

SHA1
9261a3a513784766b1ea1a5a2571afedf125b3fa

SHA256
5c2d25a74831fcacfe115fbd6bc8a83652b3cce9b98e4c9fdb244f49ae768d81

SHA512
e904fc8c74d4df1b250279bfc9772fa38de12c7b818779db23fe5f9a103666a2b7c643b123d864b7daa9ba686d83f35d95f7585240dc58f18e0c54febe629101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
325be69477e2f0ec3e0689c80210d11a

SHA1
4fececbf2daa21e1ac5aebe8e511cb69fafdefc3

SHA256
bab4f723682eb468f6f59b1fd480f4c7d9a80a3c736dc0fb666b335592bd8a46

SHA512
7bfed6a3dfba4983492ea18dddb01d5c0d309367c879fba7b7efa9b218861c9afd1d1cf3b1f0e342493956e5858c98104aa893312ac193aff56ffd66ad47db31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b9b1ffdc988b9bcb2da5a9dd6402222

SHA1
42d2f0683bd6bbc52b169f37972a08c00cea844c

SHA256
c7106f1d159d46fa4133a1ffcca7850a622629bc2437e5d03e6557ccd67127a6

SHA512
ba4ed788ef20bf5796ddf98157950e2ac61e732b44aa822655fa83437d61d6110aa035a3cca2a6cf2ef20d56a437a542c9c571543b5aa26afc264ede33db9a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dac74b59987917bc6fa0217dc8d2227

SHA1
d82c64d910641a105f9ccc6eabb6dc8625bc6154

SHA256
cb7e1cc2a73c093ece0f07e40e1ad74f647df530071b33f04e731064ef2617f0

SHA512
23800a5ba1010b5dc5379a3bd04d62ea31fe347b84a82a16808148f2ba080f9a4dfaf0be4f0cde9ff894f9b3b9675935552a0c7a95f7f8baa199b4afaaf59337

Download Submit
C:\Users\Admin\AppData\Local\Temp\4uMuQd8OBK.bat

Filesize
201B

MD5
1990e7cdfa2b4cb389eb89e2f8751562

SHA1
43ec5370d4e173881e155256141f572bd73f5bf1

SHA256
039bb8d63f59848f3d6236600b0fc0164035a04274c131d8d2c6ae6d04c8f2ce

SHA512
650c128f43a1b5a8406094d31d4cfabe55f79cd43fe00ffc0059237d31a5fd60a0f8009ec3a402202fc48c8fbbfbd5001aa19a7b85e16bc2ece29365344dd192

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

Filesize
201B

MD5
ffa18478865f7f57bebd6545a2445168

SHA1
d1edf66e05719138873a8064a39919707324a23c

SHA256
91f75982d4d685328b2714dbe9373cd64f0bccee76c3377f7fd6985e178ef04a

SHA512
0d5289df9af85c0c01a120101c7c7ecf1f573a8a124d004e663340a1a93b34fbb23f4dfdb9550004c4b5d88233870fd96b144769c9fbd31ba2fa0bd5acbdd3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
201B

MD5
25a7241856826068601680232a7016df

SHA1
33875105068577c5d27e06e8a9301eba560176ba

SHA256
659c9716d4f70214f6c1252a07dfe6eefb96ec06cd3a1cbcd446e82d4fe34980

SHA512
78c77c24ea7c35dce286f3c19753da73532b53a29c8b3ed4b6db66d6350de26697bd7f19f32164ab29d17c0e33cfb64418ab38c06fc1a66db3f673339537931b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
201B

MD5
704ea592fbf0bb2186eb8782248bc7e4

SHA1
8d183f210d70bdc25121821404f054b04b4b80a7

SHA256
f7494189ac7e14c7672f10f6e44ccf342900de1cb76176ac0b7afff8f6f56b9c

SHA512
965861a2c0e3bdce5dc851216773b04e555bc5b964506fa399f908e66e235b32de511c0071390c57d1a7d6a726c9cb0ab37829218875c052e4995750e3cd4f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
201B

MD5
6d74b5f915651f295e36c348132e7a33

SHA1
8e09c418c5935ce6a2816c5dfe20ad02232f0016

SHA256
5f3e9d2ef824ab2f884b889ee8ded943d07d37d2f75e2afeb409a06154562594

SHA512
8d459483ca99a4562adaf29125fd7edbbc22a70c1a37088e3e6613ce671b0cae56385a47735d8e90439893bf16ac5755f413d0cb23338ebfd6ea6377daf4943f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A28.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
201B

MD5
1ffbd0becc251ddac8b61c261427ac85

SHA1
493b2cdc76f86b123de2e48a1bf7001f33784297

SHA256
967bebaac40b0daddaa8d68e04dcd2169a2b2bda292a8a33acb394106c456392

SHA512
99edb2939da9484171526194dbe4a20c378af955eee5ce790a35a55905520d080890f20dde4e6d2b5e2d44f9b6c17978e4c1a3f87a81aa0b0de8fc64ffd13044

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
201B

MD5
f87b310c1d52e42a591523c44085d0f9

SHA1
c97f0e0d921c2b559e29af0b01fdb55767c3ace8

SHA256
91771ae84a936d4bf8bf26f4a3caafb9c9513c59d9d14b428fa13af0b2af1637

SHA512
db8ec9d59847629601a7e7aea4a996a663e4e0e3b6cc70c4911598724f494f30e7054394631d823e23bc3fa9b2fbc72f711094b1c17128a03cee69d3ca5b4034

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
201B

MD5
0e0f4b393029d0cb20eff66933566c0c

SHA1
f5077bb0d1c8484775e156356543e1cab3389d7a

SHA256
044369aa69f666d4b9f829f2033e4bdbfb686e7501a806cbb62af4245f3374c1

SHA512
0209f30ec1c4fbefc51fa39bf859f77440ef1362302ab2c62c8ce9bc91fbd053b28d573437f3d2622824b226baf4c4e21155b5184f5aa0970799bf778029f5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
201B

MD5
ddbad15f29b48db88aa1b6c48b5786ad

SHA1
c76f585dbb057df3bff2c2aff1a30da71b948fd1

SHA256
b1339427e4ebe94bde59453eb8bf43e832db58293e983b7530d2a5609682b3ab

SHA512
e4bc542e44cf8ddb06dbb8965d06035b1cad785105e0407db410fa69d796554814c500fbf9acd18a4457ce1d57fb248b328baa72bfea6c312608398b42519d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
201B

MD5
ba182701f23dfa6628f9641559adb788

SHA1
8bc6f2cd02339e41ad5b02c1535efc42cf46d9c1

SHA256
dd0e107492b687bf69c93c24d615b08d9cc05a590bd80a8e39e86cdc7e526c47

SHA512
7bc024862ee8eda27b57dff3ea8b681140fff48b31b11e0de75d15ad9d56151af26feb458410f87b3597862a3ff60d656751e769ac2a3ede77306ae00debb923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
730f7f918efa3db3d27413a0ee318f27

SHA1
02d8fa0428e3164acc2200b34ea156983ba0a70c

SHA256
df9a0e6ba3e583f3b1620626afa30653af4700c895417770cebc237b37d2e609

SHA512
161463bef97f1742d3cf7a4af74fad7bb6f72ef6955d37475e68a62984b333f38c0c504b7152ccf810392b27785577997640aedee86a55509ffa1f5e8bc3c5f3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1064-625-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1064-624-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1432-206-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1612-443-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/1612-444-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1892-146-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2236-42-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2236-47-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2416-564-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2620-504-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/2956-13-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2956-16-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2956-17-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2956-15-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2956-14-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/3068-87-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download