dcrat | 7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
Size

1.3MB
MD5

2b995f0184bd3b5a518216a272ad5395
SHA1

924ae1241cf0e3a01097a13c6ab7a04bb6adbf68
SHA256

7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad
SHA512

a82dec0540eef8dfd504b6a1e8b5789ea11610c604d4f1692ef5ea95b72d83258412ba0475f84ff2175a7499209efdf0409cc79ec3585d77da49ee67ccdf3ec0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2592	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001932d-11.dat	dcrat
behavioral1/memory/2724-13-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2228-80-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/884-140-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1192-377-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1592-437-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/2600-617-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
324	powershell.exe
1524	powershell.exe
2336	powershell.exe
628	powershell.exe
536	powershell.exe
1688	powershell.exe
772	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	DllCommonsvc.exe
2228	csrss.exe
884	csrss.exe
2948	csrss.exe
2288	csrss.exe
2060	csrss.exe
1192	csrss.exe
1592	csrss.exe
2384	csrss.exe
3020	csrss.exe
2108	csrss.exe
2600	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
10	raw.githubusercontent.com
17	raw.githubusercontent.com
23	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
36	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
41	raw.githubusercontent.com
13	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe
2260	schtasks.exe
2348	schtasks.exe
1240	schtasks.exe
1932	schtasks.exe
2820	schtasks.exe
948	schtasks.exe
2436	schtasks.exe
3056	schtasks.exe
2096	schtasks.exe
2940	schtasks.exe
1976	schtasks.exe
1392	schtasks.exe
2568	schtasks.exe
1356	schtasks.exe
584	schtasks.exe
2248	schtasks.exe
2620	schtasks.exe
2752	schtasks.exe
1728	schtasks.exe
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2724	DllCommonsvc.exe
772	powershell.exe
2336	powershell.exe
2340	powershell.exe
1524	powershell.exe
628	powershell.exe
536	powershell.exe
1688	powershell.exe
324	powershell.exe
2228	csrss.exe
884	csrss.exe
2948	csrss.exe
2288	csrss.exe
2060	csrss.exe
1192	csrss.exe
1592	csrss.exe
2384	csrss.exe
3020	csrss.exe
2600	csrss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2228	csrss.exe
Token: SeDebugPrivilege	884	csrss.exe
Token: SeDebugPrivilege	2948	csrss.exe
Token: SeDebugPrivilege	2288	csrss.exe
Token: SeDebugPrivilege	2060	csrss.exe
Token: SeDebugPrivilege	1192	csrss.exe
Token: SeDebugPrivilege	1592	csrss.exe
Token: SeDebugPrivilege	2384	csrss.exe
Token: SeDebugPrivilege	3020	csrss.exe
Token: SeDebugPrivilege	2600	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2772	2120	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	30
PID 2120 wrote to memory of 2772	2120	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	30
PID 2120 wrote to memory of 2772	2120	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	30
PID 2120 wrote to memory of 2772	2120	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	30
PID 2772 wrote to memory of 2896	2772	WScript.exe	31
PID 2772 wrote to memory of 2896	2772	WScript.exe	31
PID 2772 wrote to memory of 2896	2772	WScript.exe	31
PID 2772 wrote to memory of 2896	2772	WScript.exe	31
PID 2896 wrote to memory of 2724	2896	cmd.exe	33
PID 2896 wrote to memory of 2724	2896	cmd.exe	33
PID 2896 wrote to memory of 2724	2896	cmd.exe	33
PID 2896 wrote to memory of 2724	2896	cmd.exe	33
PID 2724 wrote to memory of 628	2724	DllCommonsvc.exe	56
PID 2724 wrote to memory of 628	2724	DllCommonsvc.exe	56
PID 2724 wrote to memory of 628	2724	DllCommonsvc.exe	56
PID 2724 wrote to memory of 536	2724	DllCommonsvc.exe	57
PID 2724 wrote to memory of 536	2724	DllCommonsvc.exe	57
PID 2724 wrote to memory of 536	2724	DllCommonsvc.exe	57
PID 2724 wrote to memory of 1688	2724	DllCommonsvc.exe	58
PID 2724 wrote to memory of 1688	2724	DllCommonsvc.exe	58
PID 2724 wrote to memory of 1688	2724	DllCommonsvc.exe	58
PID 2724 wrote to memory of 772	2724	DllCommonsvc.exe	59
PID 2724 wrote to memory of 772	2724	DllCommonsvc.exe	59
PID 2724 wrote to memory of 772	2724	DllCommonsvc.exe	59
PID 2724 wrote to memory of 2340	2724	DllCommonsvc.exe	60
PID 2724 wrote to memory of 2340	2724	DllCommonsvc.exe	60
PID 2724 wrote to memory of 2340	2724	DllCommonsvc.exe	60
PID 2724 wrote to memory of 324	2724	DllCommonsvc.exe	61
PID 2724 wrote to memory of 324	2724	DllCommonsvc.exe	61
PID 2724 wrote to memory of 324	2724	DllCommonsvc.exe	61
PID 2724 wrote to memory of 1524	2724	DllCommonsvc.exe	62
PID 2724 wrote to memory of 1524	2724	DllCommonsvc.exe	62
PID 2724 wrote to memory of 1524	2724	DllCommonsvc.exe	62
PID 2724 wrote to memory of 2336	2724	DllCommonsvc.exe	63
PID 2724 wrote to memory of 2336	2724	DllCommonsvc.exe	63
PID 2724 wrote to memory of 2336	2724	DllCommonsvc.exe	63
PID 2724 wrote to memory of 1148	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1148	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1148	2724	DllCommonsvc.exe	72
PID 1148 wrote to memory of 1336	1148	cmd.exe	74
PID 1148 wrote to memory of 1336	1148	cmd.exe	74
PID 1148 wrote to memory of 1336	1148	cmd.exe	74
PID 1148 wrote to memory of 2228	1148	cmd.exe	75
PID 1148 wrote to memory of 2228	1148	cmd.exe	75
PID 1148 wrote to memory of 2228	1148	cmd.exe	75
PID 2228 wrote to memory of 1876	2228	csrss.exe	76
PID 2228 wrote to memory of 1876	2228	csrss.exe	76
PID 2228 wrote to memory of 1876	2228	csrss.exe	76
PID 1876 wrote to memory of 2852	1876	cmd.exe	78
PID 1876 wrote to memory of 2852	1876	cmd.exe	78
PID 1876 wrote to memory of 2852	1876	cmd.exe	78
PID 1876 wrote to memory of 884	1876	cmd.exe	79
PID 1876 wrote to memory of 884	1876	cmd.exe	79
PID 1876 wrote to memory of 884	1876	cmd.exe	79
PID 884 wrote to memory of 1696	884	csrss.exe	80
PID 884 wrote to memory of 1696	884	csrss.exe	80
PID 884 wrote to memory of 1696	884	csrss.exe	80
PID 1696 wrote to memory of 2616	1696	cmd.exe	82
PID 1696 wrote to memory of 2616	1696	cmd.exe	82
PID 1696 wrote to memory of 2616	1696	cmd.exe	82
PID 1696 wrote to memory of 2948	1696	cmd.exe	83
PID 1696 wrote to memory of 2948	1696	cmd.exe	83
PID 1696 wrote to memory of 2948	1696	cmd.exe	83
PID 2948 wrote to memory of 1556	2948	csrss.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pZIYUXLBEp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1336
      - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2852
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2616
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        11⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1724
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        13⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2732
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        15⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1536
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
        17⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1684
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        19⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2856
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
        21⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:764
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        23⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:324
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        24⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
        25⤵
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1292
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        27⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e69bfd94fe7161a544f69d3e57f089a6

SHA1
dc1df4f945b79d1f3251cb2c0b3b2f320ba5ae4b

SHA256
4b666f92f3a46e6707f938988b02221f5f9ada7ca9d49d6ae083492379425e14

SHA512
5dd6e333c732a6225f78866f43d3add69e7d3c1590205cc364d0dadee84f31a3e15c94b20ce1d35a0a89a260eb4d996f3980788ffe997c6cf982751bd434308d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98eb31eace5feb2b301999c076ccb80a

SHA1
0ab7c0c732c7768dcaf53abbae0b1033c899d587

SHA256
9a6d6928c53136b4534b42306f4407dc046cd057d560320ecdd11b1d1e68fba3

SHA512
21a61d8708d3669773b707261026e1b43a8880905b2bc4611d940f3935880d889b3d11ea49b196b88d5316487e09bce96472293bd064cb70d880023b535a5ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf8a03d42293d1530f6ca8a108de3a6

SHA1
a2d9b8947cc680e73386ecab2499b3c13512849d

SHA256
c46e3459579ec4570667ec2325c51666c3657f6bda92afe1c6d8a1e4c8bc4a61

SHA512
a049198dbe3f0819769594bbee2ca64f554c9d9502096d0f6b9325cf0d31a66cd8589b141c4efdb73b4b003e1f3bd9969adb646247ad70bfeba6d41d58640b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5155d926d3136516ca43cd6ff850156b

SHA1
04b259c179783ab72817ebb87926a12cd4c94638

SHA256
54083a4d38428a02cea97dfb28f984313d14b334bcab6ca291bc1b221fb47185

SHA512
534c5f4d0f44b09f8073bacd7de9e49f48a59db789c09af66a444bfea27358fad56eac02fe97044b832f927fd9804d708088bd667f931e91daf093f13908b709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7722b628a3faea0fc501e193b9f1261

SHA1
75444bd70dfbcbe135e058b7436b51d0f4d50c79

SHA256
47cbed1c28cde1ef625af9d620c8f5fbc14fe55bafc0f4c7a6f5defd89ebc01f

SHA512
d35a635bcbd0e7c7f63da2e8b9e213a106895adb0f0b7e458d2b68221c591cf8e68a0f67392c54c2156f6998df4a02624140083afdabd2231d91e4d4d979ed60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8429f30a44c9dc7b223459a5ffca518c

SHA1
e98e215bfab50af276297cc85e81612280b3911b

SHA256
d14157729d70c7149453f0f0a74b6932352d492e72840446c2fbb6c545074d29

SHA512
d3dd5291dedb441a4cfd1b6b84cb4ebb35c7d335363e7a4c6449c8b621a4901bac76a08cd722576f17b43e23308043c668db75e3c11d64e7942e93f6a38cd440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32873dec65a6efc5444435a4a064d6be

SHA1
172ff83939349b18f5264c2c109148ee693c0c0e

SHA256
780bc5f4e4286ae1e28ae5cce0f234fe0d62df9d11cb7d23ad0f79401ca5952c

SHA512
9d1d08ae7b5da4795af6c10f329f1af680c42805c7c882611d29c3ee0a129fc2ba64c54b1ff6f6d6bbde5c1576b72fb5d1432709f62d430bd37e5a7a41c0d9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6b3f922a194b7796a3fcc4732585fcd

SHA1
4685620548609fbd7ef2739b0f4e3ce8be42e8e0

SHA256
1a0e8573ae4f54520a65a4260e4282e3ece7c7acbde32ded257a1cfd6654f3c2

SHA512
41feaa9a6d4c76ff849e4e09ba8e9ce1bcfa06aaf4e348a1e075b507a79c126531c3de9b581d0802ef3f4b6227e5a30f845f4c542bcada738779618ea27f1f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee686e00440dd6c741f123b007e14200

SHA1
308b4ded86724f152143ed08f9073dc57c9013bb

SHA256
d5de51f36c63dc396979ec2d5c000dbc567113195db686c5b79106d0f91d36b4

SHA512
45fdd5f772e9911858fe96698ed0d2e4491dfde2cc11b443e667e6e149e504e75a3fb1caba58fa069608c07633af825df42cd4c232b1b78eeb0b50a55f1f62da

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
192B

MD5
9026c8330770950a2d5382af86d730ff

SHA1
729ddf380aeff7e543e16a5001a21872bdf1d305

SHA256
8028e7c3e32933d84d856ba9185490d3ca52e1d3e10b3d9d22617a64a4411fcf

SHA512
ad231455b5d7e57dd62ce2059bd69106dbc6060bc2510755587b46d1c4d977c7f11d12c9c1ec144aef7d0416c4ae8e672645d82c85bff0b2b82139352afafdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
192B

MD5
b37cc4d74c6de06ba9441ab9bbae7382

SHA1
99bbe103f4128def461cb7eeb1a647e9ef8b2cfe

SHA256
7b1aabd3a902f6e6860d6fad75f8f61d98e6121b76ea1a31fe18b16013dd434b

SHA512
9c690e931270a6229a2137482d3de3c85f768b4898c0571d29343aca3bbfad90b71fbed2f6fcaeee7458ab6a52a8b737e59adc0ef051cc0cdd7ca341026c3e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
192B

MD5
e83cabc739ff1003f38e7c1b587708bc

SHA1
5eac710c954ce4a09dc80b7dc9469654ff35d650

SHA256
e95c264d5aa5a5ef76606af7c25f7003229340ebf9c5a730f544f5e1ca46f897

SHA512
52510df1afb4bf22361d9ea4e289c9e29741ad582bb01be10dd7c01b5d60f073fad237484112869002fc610f4c52e80e860469bfb89e724e8c6ca89bcec53814

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6A2A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

Filesize
192B

MD5
47a40f8a7c5f68875b23968b72f1081b

SHA1
5c84bc1e6c1b6f8d2698265617d67c44783279ff

SHA256
ebad2469d1bc8d24c3ea12cf1e1c7db53c660e5302e2d01f7d935dbb0225b915

SHA512
ba414f94746714b1c585dc690cdbe9f35177eb943043f7feb22dcd4fbc453ca18d0ae65b14f95a6c2b6e1cdb6325ab779743dfa9015ff4d397ee0027e4599b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat

Filesize
192B

MD5
43c38fcb426fac0edd75977582cc02cb

SHA1
8d7fbc3b9645626ee5376a8cc8725497d0260a8a

SHA256
ce0af01a3a0e256b1ad4fc4d24580db07685d23ee09bbaf62bf701e3e346422b

SHA512
d8b0daeec1241bab1acc2949c288d538371f9c6c5fa485c08b0c73aa10ed0ef457fb4a034b5ccab0c906827650f3291d146b0b08743d6c611fe4149c2dd27802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
192B

MD5
b873a7b3b697d13db8c91c4a88a710ec

SHA1
d6d2521af9dd67a3cc5f57a73c5e0cf035e097da

SHA256
2aa480b42d86fda4af2c06edb3287990f7792bd8667e707febbd038f8d4b5a94

SHA512
ef6333600971d1863c84a801cb95e43318d6ce9095c8bc21e3167faf9eec0a9acf3f4abc0e213a9f07783297f369cbd0424eace9bd66cd0c827ecaae5a7eb9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
192B

MD5
535901218171b0e536302711ed9e138f

SHA1
e5840c5fe1d1db454e0483facba58fa44a1633e2

SHA256
fc57ddf21338278dffabe763dbaec12aeeacce7f5b9f9fd473a4ed183a3f4c39

SHA512
c3e349670f8752d91d992f7604d1140b519d8ca8b0bb028394b8dcadc39154197929ff09e28cee908846b52d1e260defd9dc876aa90fd613945a67318c357ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A4C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
192B

MD5
adce595c817f0fa0e955120ac520ef57

SHA1
d50ce3cd14a8ae31fd4faea6751b217f2ad14454

SHA256
abc4304e90094901d6d6d741bea520c5b919142b8105fd305dc39218386d7bd5

SHA512
14d917a6d0e01a06a8101b85b51f3886f2efa9dc144e0a7a83130203199350e694d528c449f00ddbeba84bb06d13009b7c6693d3c82aa84ec528ec4a6b7385d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZIYUXLBEp.bat

Filesize
192B

MD5
671394405572069e3f5dc72fc190f976

SHA1
7ebd374f3ec4fbf78fac4c410d61e267b9b9c936

SHA256
3af1b73669f3615d45969df37bdf7f4c83228bd44bb207b0f6dec6c5f83e3f16

SHA512
eecb9e569274778a8e6fde5663f5d117e1edd787cc5fd6e740ee00c902533b6d30f00b5386045b53af3d08f78f644bb08cd388848d2f5ab462d8232c2e5130c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
192B

MD5
d44681dde8514066d7da5fceba22556b

SHA1
9a31d82c19508e14af3f2d8f1de5e588324e2dca

SHA256
5a3518b92d915a8c73a15d3bde54cf18197ee6502fca6c4edee8a38c8e1e33d3

SHA512
bde0fef276b0f6693913654183984105c9b3709d77fff7715f9a95ea70eab40258994315f31a3c5cc40bbf23e1dd7b867ee63122a042e5b26aea099ef9acb85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
192B

MD5
451aecaed6127508b25fb8623df23cf8

SHA1
a995d4af04418d7f380e8a2129fb48f1b08d15aa

SHA256
1332bec07fb3988a02d2285447c3e18507597ca0be982924c4c03b42321ec0fb

SHA512
2ea386227301d8811c68910a439b3ff9aa1a16c70f8d27b70455cb7c463d2aa6d83eb88fd0d43891cc5cba6796aee0741a6ac2dc70e6bdd6b4da2a4a27d9636e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FSRMZTYVRJIADXQPU9XN.temp

Filesize
7KB

MD5
322299cfed82b4debfab313b55e39b9b

SHA1
db7e069a44e76b7eecc4223cea9c52620036d04f

SHA256
911c5cf295e60b93ca30000dddd546e75be94d1321db0bc59a924b3839694397

SHA512
d516d2a1049bc118772aebb2f26987bdeede2e0e085a1035f3c9b6aa9b6e8c22f263266b93a8d2ea8b426ba269498a484febdb08510560e4a1501c1959a6062a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/884-140-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1192-377-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1592-437-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/2228-81-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2228-80-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2336-50-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2336-56-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2600-617-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2724-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2724-13-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2724-14-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2724-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download