dcrat | b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe
Size

1.3MB
MD5

cadb980be2fced092271c63fe8dc6760
SHA1

96fc46a776a20fe5915a8c967e25ee533a2a2799
SHA256

b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7
SHA512

ab16343cc18f65eb75fbee9064ff4e596ff927c4f4c6a4da89359c07c301328062c49291b1c626d2360c525a101a92c94e2ba05a0e6ea528ea4b8dfb080af553
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2584	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-12.dat	dcrat
behavioral1/memory/2872-13-0x0000000000C20000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/memory/2776-41-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/2808-185-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/944-245-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/2716-305-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1776-366-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2244-426-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/1128-486-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/3040-546-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2396-606-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/976-666-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1588-726-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
668	powershell.exe
2668	powershell.exe
2360	powershell.exe
568	powershell.exe
1080	powershell.exe
632	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2872	DllCommonsvc.exe
2776	DllCommonsvc.exe
2820	DllCommonsvc.exe
2808	DllCommonsvc.exe
944	DllCommonsvc.exe
2716	DllCommonsvc.exe
1776	DllCommonsvc.exe
2244	DllCommonsvc.exe
1128	DllCommonsvc.exe
3040	DllCommonsvc.exe
2396	DllCommonsvc.exe
976	DllCommonsvc.exe
1588	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Registration\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Tasks\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Tasks\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe
1472	schtasks.exe
2356	schtasks.exe
2628	schtasks.exe
580	schtasks.exe
2016	schtasks.exe
2108	schtasks.exe
2088	schtasks.exe
3024	schtasks.exe
1972	schtasks.exe
692	schtasks.exe
1968	schtasks.exe
1868	schtasks.exe
396	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2872	DllCommonsvc.exe
2668	powershell.exe
668	powershell.exe
568	powershell.exe
2776	DllCommonsvc.exe
1080	powershell.exe
2360	powershell.exe
632	powershell.exe
2820	DllCommonsvc.exe
2808	DllCommonsvc.exe
944	DllCommonsvc.exe
2716	DllCommonsvc.exe
1776	DllCommonsvc.exe
2244	DllCommonsvc.exe
1128	DllCommonsvc.exe
3040	DllCommonsvc.exe
2396	DllCommonsvc.exe
976	DllCommonsvc.exe
1588	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2776	DllCommonsvc.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	944	DllCommonsvc.exe
Token: SeDebugPrivilege	2716	DllCommonsvc.exe
Token: SeDebugPrivilege	1776	DllCommonsvc.exe
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	1128	DllCommonsvc.exe
Token: SeDebugPrivilege	3040	DllCommonsvc.exe
Token: SeDebugPrivilege	2396	DllCommonsvc.exe
Token: SeDebugPrivilege	976	DllCommonsvc.exe
Token: SeDebugPrivilege	1588	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe	30
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe	30
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe	30
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe	30
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2872 wrote to memory of 668	2872	DllCommonsvc.exe	50
PID 2872 wrote to memory of 668	2872	DllCommonsvc.exe	50
PID 2872 wrote to memory of 668	2872	DllCommonsvc.exe	50
PID 2872 wrote to memory of 2668	2872	DllCommonsvc.exe	51
PID 2872 wrote to memory of 2668	2872	DllCommonsvc.exe	51
PID 2872 wrote to memory of 2668	2872	DllCommonsvc.exe	51
PID 2872 wrote to memory of 2360	2872	DllCommonsvc.exe	52
PID 2872 wrote to memory of 2360	2872	DllCommonsvc.exe	52
PID 2872 wrote to memory of 2360	2872	DllCommonsvc.exe	52
PID 2872 wrote to memory of 568	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 568	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 568	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 632	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 632	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 632	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 1080	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 1080	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 1080	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 2776	2872	DllCommonsvc.exe	62
PID 2872 wrote to memory of 2776	2872	DllCommonsvc.exe	62
PID 2872 wrote to memory of 2776	2872	DllCommonsvc.exe	62
PID 2776 wrote to memory of 1580	2776	DllCommonsvc.exe	63
PID 2776 wrote to memory of 1580	2776	DllCommonsvc.exe	63
PID 2776 wrote to memory of 1580	2776	DllCommonsvc.exe	63
PID 1580 wrote to memory of 2216	1580	cmd.exe	65
PID 1580 wrote to memory of 2216	1580	cmd.exe	65
PID 1580 wrote to memory of 2216	1580	cmd.exe	65
PID 1580 wrote to memory of 2820	1580	cmd.exe	66
PID 1580 wrote to memory of 2820	1580	cmd.exe	66
PID 1580 wrote to memory of 2820	1580	cmd.exe	66
PID 2820 wrote to memory of 2764	2820	DllCommonsvc.exe	67
PID 2820 wrote to memory of 2764	2820	DllCommonsvc.exe	67
PID 2820 wrote to memory of 2764	2820	DllCommonsvc.exe	67
PID 2764 wrote to memory of 1804	2764	cmd.exe	69
PID 2764 wrote to memory of 1804	2764	cmd.exe	69
PID 2764 wrote to memory of 1804	2764	cmd.exe	69
PID 2764 wrote to memory of 2808	2764	cmd.exe	70
PID 2764 wrote to memory of 2808	2764	cmd.exe	70
PID 2764 wrote to memory of 2808	2764	cmd.exe	70
PID 2808 wrote to memory of 668	2808	DllCommonsvc.exe	71
PID 2808 wrote to memory of 668	2808	DllCommonsvc.exe	71
PID 2808 wrote to memory of 668	2808	DllCommonsvc.exe	71
PID 668 wrote to memory of 2200	668	cmd.exe	73
PID 668 wrote to memory of 2200	668	cmd.exe	73
PID 668 wrote to memory of 2200	668	cmd.exe	73
PID 668 wrote to memory of 944	668	cmd.exe	74
PID 668 wrote to memory of 944	668	cmd.exe	74
PID 668 wrote to memory of 944	668	cmd.exe	74
PID 944 wrote to memory of 352	944	DllCommonsvc.exe	75
PID 944 wrote to memory of 352	944	DllCommonsvc.exe	75
PID 944 wrote to memory of 352	944	DllCommonsvc.exe	75
PID 352 wrote to memory of 1484	352	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4cb526f1efedc66d6f52a077d6f08a2a85df008f38cb976e2ed63e145c92af7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2216
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1804
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2200
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1484
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        14⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2008
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        16⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2768
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        18⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:700
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
        20⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1864
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"
        22⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2164
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        24⤵
        
        PID:632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2428
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        26⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1432
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0f27ac54a86349b9390fef53f7ec62d

SHA1
b37df940f70f3bf926c30e84c63be9a5b16a1529

SHA256
f8125c60c30967436c8f9bc60e3d3c406e3dd25190d52c0f434c9946b0b491ec

SHA512
494b99f137517b9e5af97e8e69b8f83fbb4c35f0c3c9d9c14cbe04c5f174c51fa0ce78fec88e60fd7c93d00ac72bb513b72726ff488539d8dc7efa6bbb5b1fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0220482d88b8d18c03de83094e38a5d

SHA1
ac9a5bb8e8431e9337fc926a3003527a8694ba69

SHA256
1e00759fa1349e0730b5793f17e675b96f3b72a756af81715fe1380cacd0e9c5

SHA512
23e81f7ee220cb74d6b3378a6386e58a659166db3ec6ed2afc80fd3c906919c2827b8060f40d49ef9de47594f1ce9d96d44830a0f38c93985a1453339c798334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
777e896151118a3c0f977961b2de2757

SHA1
e187fd8d1e59fb909ef216014506a52663468fe6

SHA256
34f1c0c1035418004c46b3fdd91af1b61150050e40470051bf50587517bea27a

SHA512
a7e35af50ddf6e3df4b8a9cdc13f457b14ba7124661e68030a47158eb94be0c93f450083611cfe2090014fff5be40a84e8dec5e77f0382253410ea2f8105c631

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51550a2a23fef43e4357d6699fe0054a

SHA1
cee62e2013966dfc03750a62ed3aadec66526598

SHA256
072ff8f3fad0682f58d88344931ea418c5c9fda4767a6e86ee4dd8284411f408

SHA512
96bd1bb5c5d580a8f021f4630a4b78aae43233893969a55db4f1980b03326d758ccc33d01288dbedb03541597360acd0680aa5bf1891fed560f4eefee605bb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df05a9179cef59765ab16f08c978d626

SHA1
dcf02add0167b227b8cf2693dad81e2969c6f629

SHA256
1db950c189098380325fc637aa30b87aea4cc4ae15172e612a80a4df189a2660

SHA512
4fadf0d761ff885e89ff25e89f62331d8ac9c798ab33338ef34cefc22db86eb4187ee0f958e5755b3dc1a8112f023a39ae2c5b0990f4b9c612b602d55ba42055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93958e3dd6e9f6aa0d1bdfafd0a46daa

SHA1
9d3c49ced5d976a5bf5a1caed4de505c6de6cd46

SHA256
309b3a950a5aa03abc59a65f2401d62773a32da283a50b5a7837cbd216129020

SHA512
de896d0eb168dddbf1b365a5069636e493d0e0b1ae333b1419fcd409055a21d46b93c1eceb14d34243cfd2e6834f5871e7f28967c452e67a48f1d596d6452d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dafdbd21e18d3308b25d1639a7d389ae

SHA1
48950fafd44db086c316e6fae53986bcbcdb4341

SHA256
60e7f98b739ae9876f060f32cb4cc5b8e9714710168686991c906d34994d0a04

SHA512
fcf70bc7d422f9aea5e12d8ec95fcdc362f780ec3fb631662da108f216733ac87ed378c567003497f794cf0e1cb17ffb7ff0221256250b3f2ace571bbd6c743f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
578d1278dc4f28986f8f9e5c6fd2d5d2

SHA1
8fa6b3a5c5c6e0a1c7630f5f690fe04d92f59c0b

SHA256
66010ff0c727e941e6d6d0fa4d513c03816188cb7cf6e1f2779ae9573327c1ed

SHA512
61f5a77c1fffb43920b89f6c1e6d83262d1e81f9d4f1dd9df444ec8f65981fb14ba79aa0d1f43e121c18cdaa1735228b568f39fd47b97a75ccfa8737494ccd15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2340020fd1bfb51d99ad36b7b4836570

SHA1
8c51bd8470440a6558110763352fa2baa188f2db

SHA256
d959afd457f7697b2f1ae93a128ef385a91e7d1b5d8387346b11dbc0ea6149fd

SHA512
a23409467409e6854f4a5342db13b11c21b8daa7cf227841d97c336836157f6722b35213f29bebb5823b7e4787abeb8fb25cfaaf92d597aef3ff44b230ddb2d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58c0d667f0b7ee6e3924f1d813eada11

SHA1
d95af9ea07b4ce94fcd853b78d2734d544f642fc

SHA256
e8dc0e0b410683cfc2838447643924d0ff263f07679143ed30b0368d3b026fc5

SHA512
0bf065598badaf66884742c36af9e7e13d9233634810cd6e3aaa26de5d8f3277cb21a8f17b077bd998dd0c0ed7fe40df5f7fcb2f4d677836d59ee436265b2300

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
198B

MD5
7cc76e193d93600776274510a90c62d8

SHA1
b4186cc10d2fa176c5f4855e0f82b8ff318f307f

SHA256
6595def826175f753fd9753eed0fe883660a16fc2008e28dcabe21c34a2f468d

SHA512
4aad2e360e05f5a5124f4205677d68ff56d9b59d0d314a5cf3afff0af3289b89748b16efc6d355181831760d303abe859ec459b22ebef0b6e5e0bc7aeffe6cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
198B

MD5
572bc81074ada3f0b43db9c7d3918b6b

SHA1
cb60eb6e2b60862e0ea0cd0bc63b7e85dd58d363

SHA256
c207de85b628082fb14972733f7e94ada11027dd219ad4a02ccd9602e31fde07

SHA512
51604204cdd51e1d0add0891e05d757ab93d12625f5317bed401738553341d259913d8ed4da59be2e4cfa6a9513b6d3c58a8d09b5ca83fbad99b4b83b7f52102

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

Filesize
198B

MD5
4feb5131ef30fe34105aec73eb39e13f

SHA1
91e2007d60c51f2568f310adc68c7a2c3281c97b

SHA256
4df0ceb890bc24dfede06fb87c7305e0ebdf1928d12f8fd1e0f704db9137b873

SHA512
f3863ff8850c129b6b0ac29d16617005fcbdeb420a25acb53e21512252e832c7583b9751ad235b62df37894e2f0c38caefd43876b5475412a208f181fb27a039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41B4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
198B

MD5
ca4fd749ac2cf4cb4f6807c5f7a8a086

SHA1
d5b07483891566731c1e9102f791e711e27ab561

SHA256
cd5677cf3c9231735c87621354249cb461a912839608cff47e6b64d714677119

SHA512
3def2acb5442daa4f5d6356bdeed99302f6a524a51a898b236eac8ae7610abfa876154f99bb1f421bfead8a641a1344177b8f0b1dcfcadccabaf25333c00c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat

Filesize
198B

MD5
d9d6c0caf92a9ee177ee2e9a6ce3b6a1

SHA1
840ecd19eaa0ae02aed294773d64094921f3a6f7

SHA256
548a8f9ed854e19e9e2145ed932bdfe43a7686f48ab4362d7b288ac8783e0428

SHA512
a33fb72d21ffb4cbfdad28f27d4da5301d63c402601fd94561d47726548cec0de4a785cd91df51c52c0d18f15ff963353dc1c4bf5e547700dfdedcb75c776c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar41C6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
198B

MD5
0f2639f2ae2367807ffebc2338bcd141

SHA1
5c83e2c7a41485e1cf5c3d2892dc466eaffca962

SHA256
905b9b279b58a3d8cb5aab275a393a8e54c47cff38f7c2e1732b8240b57ee6a9

SHA512
fee4735a0a6bd4d75fb1fd82dcfc0fdc1593adfaeb7b28fbb783e919e9b5ac58fb00c8126182e5b80068cc6d834b7057c2aecf378f787362cecc0cd2f96cdd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
198B

MD5
264442a289b3ccc310dbd4c329dc0be3

SHA1
2b31cf8beaff94d203d284e2c0ce9722970adfb4

SHA256
f19ec18e638820c74fc1599eee2caa2cb82fc1de14bb376c65930e52ad844918

SHA512
e3dcc0c761eb1eadc6ec4df84afa722c0402f1a02bfa925c2cd7c0de0c46bd733d424366c583a70480a67221c9d891db4121b731e26ce9707914954f98099062

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
198B

MD5
5c2695397a8af1fd801f5bd76a7fd70c

SHA1
88763e61c4efec4dbe7edb07029f1d5dc69650de

SHA256
07366627ee0f1bd7f13c9abdebc0f243e8fab0ec7eb8c1ec5c5230e81155ec27

SHA512
9b0d952a180c2c8bbaad777a743f1924d8dbfe753561ac4500d7bc4a264d66d26a7603c531d98c4208ce934363cb25b843cfadcfe0c775b34ce49678c7798a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
198B

MD5
d5c9b321aef5cf70eab51668139c8bd7

SHA1
69eeee27fba35de60699116375caac67b7768261

SHA256
a27962a0b6606414a78439a394bf0e96dba18fc8a38705a07ff82e38e169555f

SHA512
8c3dd38063517e6da0a0938c2942e0cdc34237fa7c315ffbbd11705220520163c27faca43d34bd42e4fcb33737084fbebf9c0a7d5bca8395e0ce66e26e0c19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
198B

MD5
f67c30917d19585e8aa282ab1703a5c0

SHA1
b0131520726c0aa7fb4e83999340222ddbf8a386

SHA256
d91e8add9fd5d0bee79134ca0c13216bbc12d15c05c2357f4b950075d8623ca9

SHA512
87ac2074e16465767da305c6c51904d308d4e4222fd80f6b4a517d612bd147050539d02efb3a2ffd840764d89ebd3a39592c03da8eb8ca4f8bd09d81353e7509

Download Submit
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

Filesize
198B

MD5
fbb14acc0b654dba935c368c9620be52

SHA1
c43435ff299dc3dcf29d35e54ca3343b37e484c1

SHA256
760a2cd04dcf2e73d53456ea6b75c0411772e555ef07bc269304b65eab0b0036

SHA512
1e5420524b711300f77f013a790354ec043cc950f7fc2e1b858f4d287e1d02fcf6b1dfc068882a2ea69625e6eec50983ab3dff3b03aa554a82be6dc589f06679

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DORXK1YTVUM79DEVYSMC.temp

Filesize
7KB

MD5
ad42df55b999eb9c95131986745d95b4

SHA1
765bd0fa55fad15fb31efa83066f10d3cf457fa3

SHA256
a48b3cfa8e91e7b153cf1f45ea58aac936fb9820925dcfbb9ac521cc6be5c1a4

SHA512
f8434c3944ef709a884b1350f2580aa69d1396ad3cbea67f918c7da6248ed08f0a9f5168b95c7ff7b0f81a6134efeecaccd92a45c154f478075f4374b5b76d8e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/944-245-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/976-666-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1128-486-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1588-726-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/1776-366-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2244-426-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2396-606-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2668-47-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-48-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2716-305-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2716-306-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2776-49-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2776-41-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/2808-185-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-125-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2872-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2872-13-0x0000000000C20000-0x0000000000D30000-memory.dmp

Filesize
1.1MB

Download
memory/2872-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2872-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2872-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/3040-546-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download