dcrat | 2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe
Size

1.3MB
MD5

d4466258a8fd667c029100beb8a46c8d
SHA1

f1207e307fc1d5df26bcf8b7d498a3c8d6dec3e5
SHA256

2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9
SHA512

037cc8e695b8eee296b15313010e7ecc0eb45dd6598c4e8dcc089db6d7116455b5914a65dd7814218bebc4db60de5921b552bada6e823077c823eb52f8ab0a2d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2804	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d49-12.dat	dcrat
behavioral1/memory/1752-13-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2348-80-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/448-199-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/264-260-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2836-320-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2660-380-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/1700-440-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1744-500-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1736-561-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2004-622-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2876	powershell.exe
2868	powershell.exe
2648	powershell.exe
2628	powershell.exe
1908	powershell.exe
2888	powershell.exe
2620	powershell.exe
2872	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1752	DllCommonsvc.exe
2348	services.exe
2772	services.exe
448	services.exe
264	services.exe
2836	services.exe
2660	services.exe
1700	services.exe
1744	services.exe
1736	services.exe
2004	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	cmd.exe
2516	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1268	schtasks.exe
2472	schtasks.exe
696	schtasks.exe
768	schtasks.exe
1988	schtasks.exe
2852	schtasks.exe
840	schtasks.exe
3032	schtasks.exe
1760	schtasks.exe
1156	schtasks.exe
2692	schtasks.exe
2564	schtasks.exe
1152	schtasks.exe
2944	schtasks.exe
2908	schtasks.exe
684	schtasks.exe
1912	schtasks.exe
1944	schtasks.exe
2584	schtasks.exe
2760	schtasks.exe
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1752	DllCommonsvc.exe
2628	powershell.exe
2876	powershell.exe
2872	powershell.exe
2888	powershell.exe
1908	powershell.exe
2648	powershell.exe
2868	powershell.exe
2620	powershell.exe
2348	services.exe
2772	services.exe
448	services.exe
264	services.exe
2836	services.exe
2660	services.exe
1700	services.exe
1744	services.exe
1736	services.exe
2004	services.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	DllCommonsvc.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2348	services.exe
Token: SeDebugPrivilege	2772	services.exe
Token: SeDebugPrivilege	448	services.exe
Token: SeDebugPrivilege	264	services.exe
Token: SeDebugPrivilege	2836	services.exe
Token: SeDebugPrivilege	2660	services.exe
Token: SeDebugPrivilege	1700	services.exe
Token: SeDebugPrivilege	1744	services.exe
Token: SeDebugPrivilege	1736	services.exe
Token: SeDebugPrivilege	2004	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe	30
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe	30
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe	30
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe	30
PID 2320 wrote to memory of 2516	2320	WScript.exe	31
PID 2320 wrote to memory of 2516	2320	WScript.exe	31
PID 2320 wrote to memory of 2516	2320	WScript.exe	31
PID 2320 wrote to memory of 2516	2320	WScript.exe	31
PID 2516 wrote to memory of 1752	2516	cmd.exe	33
PID 2516 wrote to memory of 1752	2516	cmd.exe	33
PID 2516 wrote to memory of 1752	2516	cmd.exe	33
PID 2516 wrote to memory of 1752	2516	cmd.exe	33
PID 1752 wrote to memory of 2620	1752	DllCommonsvc.exe	56
PID 1752 wrote to memory of 2620	1752	DllCommonsvc.exe	56
PID 1752 wrote to memory of 2620	1752	DllCommonsvc.exe	56
PID 1752 wrote to memory of 2872	1752	DllCommonsvc.exe	57
PID 1752 wrote to memory of 2872	1752	DllCommonsvc.exe	57
PID 1752 wrote to memory of 2872	1752	DllCommonsvc.exe	57
PID 1752 wrote to memory of 2876	1752	DllCommonsvc.exe	58
PID 1752 wrote to memory of 2876	1752	DllCommonsvc.exe	58
PID 1752 wrote to memory of 2876	1752	DllCommonsvc.exe	58
PID 1752 wrote to memory of 2868	1752	DllCommonsvc.exe	59
PID 1752 wrote to memory of 2868	1752	DllCommonsvc.exe	59
PID 1752 wrote to memory of 2868	1752	DllCommonsvc.exe	59
PID 1752 wrote to memory of 2648	1752	DllCommonsvc.exe	60
PID 1752 wrote to memory of 2648	1752	DllCommonsvc.exe	60
PID 1752 wrote to memory of 2648	1752	DllCommonsvc.exe	60
PID 1752 wrote to memory of 2628	1752	DllCommonsvc.exe	61
PID 1752 wrote to memory of 2628	1752	DllCommonsvc.exe	61
PID 1752 wrote to memory of 2628	1752	DllCommonsvc.exe	61
PID 1752 wrote to memory of 1908	1752	DllCommonsvc.exe	62
PID 1752 wrote to memory of 1908	1752	DllCommonsvc.exe	62
PID 1752 wrote to memory of 1908	1752	DllCommonsvc.exe	62
PID 1752 wrote to memory of 2888	1752	DllCommonsvc.exe	63
PID 1752 wrote to memory of 2888	1752	DllCommonsvc.exe	63
PID 1752 wrote to memory of 2888	1752	DllCommonsvc.exe	63
PID 1752 wrote to memory of 1088	1752	DllCommonsvc.exe	72
PID 1752 wrote to memory of 1088	1752	DllCommonsvc.exe	72
PID 1752 wrote to memory of 1088	1752	DllCommonsvc.exe	72
PID 1088 wrote to memory of 1964	1088	cmd.exe	74
PID 1088 wrote to memory of 1964	1088	cmd.exe	74
PID 1088 wrote to memory of 1964	1088	cmd.exe	74
PID 1088 wrote to memory of 2348	1088	cmd.exe	76
PID 1088 wrote to memory of 2348	1088	cmd.exe	76
PID 1088 wrote to memory of 2348	1088	cmd.exe	76
PID 2348 wrote to memory of 1984	2348	services.exe	77
PID 2348 wrote to memory of 1984	2348	services.exe	77
PID 2348 wrote to memory of 1984	2348	services.exe	77
PID 1984 wrote to memory of 1488	1984	cmd.exe	79
PID 1984 wrote to memory of 1488	1984	cmd.exe	79
PID 1984 wrote to memory of 1488	1984	cmd.exe	79
PID 1984 wrote to memory of 2772	1984	cmd.exe	80
PID 1984 wrote to memory of 2772	1984	cmd.exe	80
PID 1984 wrote to memory of 2772	1984	cmd.exe	80
PID 2772 wrote to memory of 840	2772	services.exe	81
PID 2772 wrote to memory of 840	2772	services.exe	81
PID 2772 wrote to memory of 840	2772	services.exe	81
PID 840 wrote to memory of 2032	840	cmd.exe	83
PID 840 wrote to memory of 2032	840	cmd.exe	83
PID 840 wrote to memory of 2032	840	cmd.exe	83
PID 840 wrote to memory of 448	840	cmd.exe	84
PID 840 wrote to memory of 448	840	cmd.exe	84
PID 840 wrote to memory of 448	840	cmd.exe	84
PID 448 wrote to memory of 1708	448	services.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2158b576c3795497156ffb624a8aabe93b309cd0f284daa7e32327d4f41bf0b9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X0nrmdHBrq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1964
      - C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1488
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2032
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        11⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2404
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        13⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1952
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        15⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2848
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        17⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2144
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        19⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2384
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        21⤵
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2696
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
        23⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:876
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Multiplayer\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Multiplayer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56aa9bc0b678915fff71b9255b84846b

SHA1
8d3ceb681226940b56f4478a1bb8bacbb33b205e

SHA256
38d2533803416c69cb1c67c764ed47d9991e92bfc39907e1642798bce26ccd61

SHA512
758c4492398a15d1a16294fffd5e48e614f23281580c5451c06e6cb15255e050025db9f5966a92862d641fcc82b7dbad0a9a6a1812f271522aff8b9c174215ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd8773ce2102d657d12244e7496750e8

SHA1
e7bfa74d1ff11e0621fba5d8f4ccd430c3092eec

SHA256
959aed8d4e2a2b6c142cbe351b6d797b5450591e88f84c99a47e5a15087c00fa

SHA512
88ea0753976b2f90fee29eb51ee6430aa0e42e6d98015d1c2496571854ceef6ddb29f228ea7a6d65039ca97707860b7007164b0f74f0325a6ddc7dea87668abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
859389bd01be5d32b330382af7a29a91

SHA1
950f35827c54200c2dd9694b05b6b859406a8781

SHA256
140b6f3560c4ed0e6c576d85c7dff3a7196d2a2390c55eb4d646718179068ec8

SHA512
49b8cfd43ce14c1d63b63b6a3d06bcab577616fbfa9369b5cd4202c93b1c3216e6266fd5afdef107cdde2afa3255c786810af8ebc84148f1132ecb6219e2a36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
065a4477c59934bbd7c559a93b41619f

SHA1
0e1e054ebd7a9e5e9c3720aa47e9b0b65d75702b

SHA256
d1ceba4fe38b86418e3bcd4b29ed27794eeca29b273fcf8c921ae58d4b5f6a02

SHA512
2be0eb920fbef266c317bf70966d97711f901eff5e417318d984b57ad3a30b799ba343715d104a23be3f20ccea1abb1fbf0ffa681689b2f0913b657e2ca7fa95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e19dd6ed3ebc94e9aa182bb19b91626

SHA1
9931dbe81d17b2515ccf5afbdef1e65b1b0329dc

SHA256
bada61d4c285593b433fa0656be8594fed54f7a47ec9d41cced2386442a3599d

SHA512
33b656b4abebb6f866778f49cc3f8d3e509e7a34219886d4b81cf8d83769914345055554eff2cc5ade26c36db8dbc0662f775c3c07783fcabc714630c59d72bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24c3db4da0b298de9d198f343983f543

SHA1
f3a72205f6e34e5b2a77fd7993ef21a8e4de5339

SHA256
6079bedd87ebf7dc44e2afdce2435ad3c8bf6f319a77ce1947fb0ad1c14fbf49

SHA512
5e1831f4588d3a7dbe54d07c4670c54601f45259f2a2d1bc2bb1604582298bfa38575f2b948e57a929cd284b6d7ac6aa6f59550684421410468d3638dbe05faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f64ed83b4a55e140b029c799f1f8e4a

SHA1
be8817c79ce84a18afbbaaf382e3cad1d128d80c

SHA256
bbdf4bafa9e59ffb73a108679687f7d5843b65b9122e0ba678b2f2bf0d947b1d

SHA512
6a8ab3243f7d648b5fb1268e2a1191e1d951e11618af75ae34f754c42eb730e9c6e6b20e434174a53a57713f09154b8a520bd42d8693cc62e31cf9c8371acd66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98ed26e1c90006240206bd44ddc43a9a

SHA1
689647eacc62fa1c9e8f2f5b9d93ec049f3d2e6a

SHA256
e61d8c1e6afe050b4b0e10e8e60434edcacf6a539530af6bb67e04949d3fa2dc

SHA512
03e377c45454c6b83327e03980a4110dd115abeec369fb4d09212faba821f60d94614fdeef26f69369dfc01afa9cf18250a628accf2e59a9ae498c1340df6871

Download Submit
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

Filesize
195B

MD5
22dd0fa4155fe682d628e0c2cab39f1f

SHA1
4b71bec03e2ebf57e90e22cbef95ce3a25c6a498

SHA256
c2aa04806badf8bbd4470c32589ba7f853ec32bda3c9c95ba3d7c1940556ee4e

SHA512
c6ef26c9342cc76b6396dd305262ca023a71f03c462d904c1807c626a3124c95a2331f77c3b9f8739ea7736c73391708bb7052e0d561344a2919526f5bea61c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
195B

MD5
b1be2fa369ff3e4821a11ccf9055c238

SHA1
19f4fa87a7a6fbbe370333c366ec14140b10cbdd

SHA256
f93f0053ec00377cfe0704d169929d502c84c67ab2183fd4cf3dd867755a8476

SHA512
6ddb63479d60de7159db775c898532448087dbc98accfa95b36b720d92d6effacbeadd5c8c2d42d3106d2f94ab7a835a2a108a8c37d2381b4122f6fc079189df

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
195B

MD5
ee7d2b186f54096e2ede73ed4789ea84

SHA1
1e79de2c761efc6c6abc7bb1769865070ac9ab91

SHA256
712f786f17b6965e6105098fdcc0d1559e2145d18c3ed045e6dc0fefd0c3409c

SHA512
545d11a10b0dc2536208abe71c6387008d7adc58a30bacfbe7a090fb3b4f6be2eff62f2c05942ce0a941ec4f726315c27533ddf7237ca28810dbc6bc8eb3663b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
195B

MD5
3c2855b30c3a4ab07ddfa9b190ae1ce8

SHA1
83712d5d2ada8c63703391c5e126f11d6a94c6ba

SHA256
b2d19be64ef13ecbb66d3885c472004966e1c352d3b76ffd2cefb293c94e5414

SHA512
6d70c32d410bbfa858a7be5bab18a0f4c5d8641097989d1b7a5ae1a959e5e4b6f6ff627def9f2185682e43bf45532e98a93c4ffbe70942038b8b394dfa502034

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
195B

MD5
3ad1e822f2772319a07055b3ec23d4cb

SHA1
fbbd8a53b21222edc035f539daa22cced19b2f0d

SHA256
b501104372c73c5325caf60f9703fa8e42dabb73755b67517142d541bf5446cc

SHA512
b3c2a1154de1967b87faea73914d70b6f7e52ccde45563e984fde4663390b6f0b24a82d5c875d5122da7ecf8e276bb411aa446cdd421ea9b4c151d1a65ad9a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar708.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0nrmdHBrq.bat

Filesize
195B

MD5
b037fb9d85eb94ba232658fbf7af4cc7

SHA1
a74074a871cafe571fecdee09636c7a4d8166921

SHA256
78aead15d19f64e515b0a8d5462c59818046c098a439a13d4baae3add3321627

SHA512
6943619d8380d58fc2d6b9eabd536b6a9d37b610760555157b03fc656cfc4207069f8e1bf350ccce06bb049900e26dbf1a2af6243d84df7ba1698bd0bff9d38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
195B

MD5
92d8e9cc7188aa97fb9fd5d6221c237f

SHA1
01b30106a9cbeccbbd7a902e4f7a6cd34ca4370d

SHA256
b87e1ff3dfd75905a23523038475e00d2c6534ba556141a5c89ec30e2633beee

SHA512
1b4ae8bcbed06777a48f1b5c89bd8f28ab2cc26a5c110e89e89c493c4a784307f7f9479296a04ca2dc6ffb048fadb1112fa1d8887ea056f6e8180b9d01edb779

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
195B

MD5
5396686deee9d78833ca569321f6cbca

SHA1
7230b51a431edb98591ecbbe1442e4c5b9e4502b

SHA256
9404a30f1775bf733dbf3a7b65bd25ad675667963e25ef5643de74bcbde00cde

SHA512
e6102ea7bc7d04faf89a43a403dc6f5cac28cf27b72b84a988ff56f8c7348f5d7f47d627ab2864e33e1a058f58377987ef4bc0dc0df0e612945718fe2212a055

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
195B

MD5
7072b719f56d223b58d3b6acb824f9e1

SHA1
7215f58036cb5e6841719132f13522617a1a5aeb

SHA256
f46a65229f5952c1eb2ee92f24f6c807776dc1e1c43190887682fcd85d829c5d

SHA512
a61ad8a4d7e9fa9d8c694d98d30b016969f90d6c5b9c4baa7c4498ac83ee575a5696f3418008b831ce9a24301be8c72098a9c86fc9b1e6f5b7adc2bbb93a98c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

Filesize
195B

MD5
cfad13e75ac7eade7bae64d082f350c8

SHA1
c8b52c8fb428300fcca353291cb55a1a642b1f8e

SHA256
98d4422b994a2cb7fbc481f0632dca0c8b3d5fc88e3623a36f418fbfafddb71e

SHA512
76495f84d6df29358499275b6b6d1453a7bf9a52ed028771d9de92d54ef68915cd33365b0b63d2cd1519630d7aa0c719261b23d1c4c351bbb0aae1dcd50f3eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
84011f247d00958ff46c84f982eed150

SHA1
45c9984b902ca85dc97e2d9c3d88e8c45636adb7

SHA256
8843a3f391f3ce9dd7ad2b40226543f0d37b5c1dd9e55a3fe7a25a8ad922759c

SHA512
e2cc95a79ed33d19090b3a61cc9fb984ee585917482448ce9ba03f22056c267f551b7526fafb469186dca15ecc5371f67069d9a988513e7e43d1039c91c89339

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/264-260-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/448-200-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/448-199-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/1700-440-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1736-561-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1736-562-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1744-500-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1744-501-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1752-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1752-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/1752-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1752-13-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/1752-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2004-622-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2348-81-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2348-80-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2628-47-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2628-42-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2660-380-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2836-320-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download