dcrat | 960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
Size

1.3MB
MD5

aaebfc91d78692ceb82fc9ae88cdc53c
SHA1

98aa425b5faaf48103aa59c0d40c8143fcf20094
SHA256

960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9
SHA512

fdcca74b9992bd5c417e085ec34213aea2f6f3ce36daa6ccb8db4b8c66706ac768e8a0d4d961a06bcc27801d4de54301a484beb513aeeff7916ffd496bf9883a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3104	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c7f-10.dat	dcrat
behavioral2/memory/1220-13-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
404	powershell.exe
4132	powershell.exe
1924	powershell.exe
832	powershell.exe
3116	powershell.exe
4600	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
1220	DllCommonsvc.exe
4876	spoolsv.exe
4780	spoolsv.exe
1816	spoolsv.exe
740	spoolsv.exe
4048	spoolsv.exe
1168	spoolsv.exe
2004	spoolsv.exe
2688	spoolsv.exe
1476	spoolsv.exe
4324	spoolsv.exe
228	spoolsv.exe
4904	spoolsv.exe
208	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
45	raw.githubusercontent.com
52	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
24	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\osa-Osge-001\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\System32\osa-Osge-001\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\reports\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
216	schtasks.exe
2688	schtasks.exe
4932	schtasks.exe
2308	schtasks.exe
752	schtasks.exe
2800	schtasks.exe
1872	schtasks.exe
4444	schtasks.exe
2124	schtasks.exe
3444	schtasks.exe
3984	schtasks.exe
2944	schtasks.exe
3144	schtasks.exe
3060	schtasks.exe
3872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
1220	DllCommonsvc.exe
404	powershell.exe
832	powershell.exe
3116	powershell.exe
1924	powershell.exe
4600	powershell.exe
4132	powershell.exe
404	powershell.exe
832	powershell.exe
4876	spoolsv.exe
3116	powershell.exe
4600	powershell.exe
1924	powershell.exe
4132	powershell.exe
4780	spoolsv.exe
1816	spoolsv.exe
740	spoolsv.exe
4048	spoolsv.exe
1168	spoolsv.exe
2004	spoolsv.exe
2688	spoolsv.exe
1476	spoolsv.exe
4324	spoolsv.exe
228	spoolsv.exe
4904	spoolsv.exe
208	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	DllCommonsvc.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4876	spoolsv.exe
Token: SeDebugPrivilege	4780	spoolsv.exe
Token: SeDebugPrivilege	1816	spoolsv.exe
Token: SeDebugPrivilege	740	spoolsv.exe
Token: SeDebugPrivilege	4048	spoolsv.exe
Token: SeDebugPrivilege	1168	spoolsv.exe
Token: SeDebugPrivilege	2004	spoolsv.exe
Token: SeDebugPrivilege	2688	spoolsv.exe
Token: SeDebugPrivilege	1476	spoolsv.exe
Token: SeDebugPrivilege	4324	spoolsv.exe
Token: SeDebugPrivilege	228	spoolsv.exe
Token: SeDebugPrivilege	4904	spoolsv.exe
Token: SeDebugPrivilege	208	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 3928	876	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	82
PID 876 wrote to memory of 3928	876	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	82
PID 876 wrote to memory of 3928	876	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	82
PID 3928 wrote to memory of 800	3928	WScript.exe	83
PID 3928 wrote to memory of 800	3928	WScript.exe	83
PID 3928 wrote to memory of 800	3928	WScript.exe	83
PID 800 wrote to memory of 1220	800	cmd.exe	85
PID 800 wrote to memory of 1220	800	cmd.exe	85
PID 1220 wrote to memory of 4132	1220	DllCommonsvc.exe	104
PID 1220 wrote to memory of 4132	1220	DllCommonsvc.exe	104
PID 1220 wrote to memory of 1924	1220	DllCommonsvc.exe	105
PID 1220 wrote to memory of 1924	1220	DllCommonsvc.exe	105
PID 1220 wrote to memory of 832	1220	DllCommonsvc.exe	106
PID 1220 wrote to memory of 832	1220	DllCommonsvc.exe	106
PID 1220 wrote to memory of 3116	1220	DllCommonsvc.exe	107
PID 1220 wrote to memory of 3116	1220	DllCommonsvc.exe	107
PID 1220 wrote to memory of 4600	1220	DllCommonsvc.exe	108
PID 1220 wrote to memory of 4600	1220	DllCommonsvc.exe	108
PID 1220 wrote to memory of 404	1220	DllCommonsvc.exe	109
PID 1220 wrote to memory of 404	1220	DllCommonsvc.exe	109
PID 1220 wrote to memory of 4876	1220	DllCommonsvc.exe	116
PID 1220 wrote to memory of 4876	1220	DllCommonsvc.exe	116
PID 4876 wrote to memory of 3100	4876	spoolsv.exe	119
PID 4876 wrote to memory of 3100	4876	spoolsv.exe	119
PID 3100 wrote to memory of 4192	3100	cmd.exe	121
PID 3100 wrote to memory of 4192	3100	cmd.exe	121
PID 3100 wrote to memory of 4780	3100	cmd.exe	124
PID 3100 wrote to memory of 4780	3100	cmd.exe	124
PID 4780 wrote to memory of 1612	4780	spoolsv.exe	125
PID 4780 wrote to memory of 1612	4780	spoolsv.exe	125
PID 1612 wrote to memory of 4744	1612	cmd.exe	127
PID 1612 wrote to memory of 4744	1612	cmd.exe	127
PID 1612 wrote to memory of 1816	1612	cmd.exe	128
PID 1612 wrote to memory of 1816	1612	cmd.exe	128
PID 1816 wrote to memory of 3952	1816	spoolsv.exe	130
PID 1816 wrote to memory of 3952	1816	spoolsv.exe	130
PID 3952 wrote to memory of 2140	3952	cmd.exe	132
PID 3952 wrote to memory of 2140	3952	cmd.exe	132
PID 3952 wrote to memory of 740	3952	cmd.exe	133
PID 3952 wrote to memory of 740	3952	cmd.exe	133
PID 740 wrote to memory of 4184	740	spoolsv.exe	135
PID 740 wrote to memory of 4184	740	spoolsv.exe	135
PID 4184 wrote to memory of 1692	4184	cmd.exe	137
PID 4184 wrote to memory of 1692	4184	cmd.exe	137
PID 4184 wrote to memory of 4048	4184	cmd.exe	138
PID 4184 wrote to memory of 4048	4184	cmd.exe	138
PID 4048 wrote to memory of 224	4048	spoolsv.exe	139
PID 4048 wrote to memory of 224	4048	spoolsv.exe	139
PID 224 wrote to memory of 4968	224	cmd.exe	141
PID 224 wrote to memory of 4968	224	cmd.exe	141
PID 224 wrote to memory of 1168	224	cmd.exe	142
PID 224 wrote to memory of 1168	224	cmd.exe	142
PID 1168 wrote to memory of 4600	1168	spoolsv.exe	143
PID 1168 wrote to memory of 4600	1168	spoolsv.exe	143
PID 4600 wrote to memory of 2112	4600	cmd.exe	145
PID 4600 wrote to memory of 2112	4600	cmd.exe	145
PID 4600 wrote to memory of 2004	4600	cmd.exe	146
PID 4600 wrote to memory of 2004	4600	cmd.exe	146
PID 2004 wrote to memory of 3476	2004	spoolsv.exe	147
PID 2004 wrote to memory of 3476	2004	spoolsv.exe	147
PID 3476 wrote to memory of 372	3476	cmd.exe	149
PID 3476 wrote to memory of 372	3476	cmd.exe	149
PID 3476 wrote to memory of 2688	3476	cmd.exe	150
PID 3476 wrote to memory of 2688	3476	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\osa-Osge-001\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4192
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4744
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2140
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1692
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4968
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2112
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:372
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
        20⤵
        
        PID:412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4064
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        22⤵
        
        PID:3300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3604
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        24⤵
        
        PID:1220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2980
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        26⤵
        
        PID:4108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3492
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        28⤵
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4688
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\osa-Osge-001\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\osa-Osge-001\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\osa-Osge-001\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\reports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat

Filesize
198B

MD5
7e3ca3a877beba8b11a53c4701aa619a

SHA1
83998a2abf73ccf069e8a9a8e3547bf1c089a600

SHA256
e24173d99c962eb78fb5db86416b5688cfaab825847cb28469d9d66321d3ed8a

SHA512
bd316b3bd89d0f3a962f90c0fe0fe4fb7b392e9a32ad84ccfb45d77d098beaa5725ec6d0103bcc2ef76590e1bd93958540fa7d64dde5ed05cbfc3f8944f7f72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
198B

MD5
f8b456f2c7baaaa2dedcb2e37d7da09e

SHA1
6e72b3a80b3f2d0bb55da7b0b2df3447bf7897d8

SHA256
ca105347d7e5b7e84daa7ff2feeed2f425f011b31312011ba81cdd6e275fe7e1

SHA512
3fa856ed195c8ebd54dbc6c70c974457dea1b47bbbc753662cce12503ce743cff90298c2f5dfd67a6b5410ec1448937f43a73e925cd3a8e2886f832335809939

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
198B

MD5
5e85f864878592ea95ff276f48ec1c8b

SHA1
f1d95b64721a88bc45fe278ae030657078b69f02

SHA256
e5d5f1d77c3c476665e4fb35d30802ba1e32c9b64768c3e1ac4af24bb8b42598

SHA512
0bea39bb1d864421f37d34c4559a98c67015ca0eaae8878904dea9d205d6c27a286b8da840aa546bfe7925f18aad4136a169beedabdd2da7c6cf8be38dd5a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
198B

MD5
0daaf1c3b122598979316809e8cab36b

SHA1
1e154eb19336e6d339e4d5c5f881c6e0b24716f2

SHA256
072deb64d096894cee901a0965b255414e2196040f933153cf7e32166a4c0bed

SHA512
746a39bc7523e67a1cf5bbb729753292d141499b2275ec169a8b7f7683b3e3933518c2120685f22fd1674d7d0c77463df206bbb72b79a0011193a696da8f5648

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
198B

MD5
ac2c0c6f13359fd0ff26066ea44dd013

SHA1
a34b65d50ebe0b6ac9292ca5651d9fc05dd71507

SHA256
8074f9827cff442bac1db102311198ef83cd3ef77a558c370f0085789bd76ace

SHA512
17089395c7add56fc988556d952593ff74830c3c97ee59901881bbe33094d0bb6948132ec35937354658dcc891ea7343770c8b6e3b1fa790f4dd98acd0951fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

Filesize
198B

MD5
a8ca12065ef9f5a8e9b78284c5888229

SHA1
062eb35d7af6dd23f41cf2c792eae52dce5fb319

SHA256
099443e1f77de78a9c2c0b0d8f013e863858771bf72bbd3105feacf71b7071f0

SHA512
f8b4ea51a825c5011e9ff399d98f8c265feb406ccef286a98dfebe501599cb37328ac50227855b020f245fef4675f980cfdfe0ff8c339d49f52b92acfcb0d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
198B

MD5
e23d06e2f986855c84ee465ffd057fd8

SHA1
aae08f32493651abdff0d77bbdd4fb342a4a919c

SHA256
7fb3fc867c06a4c63cd2819fb69d631066689b2081118a03c4c3af46381caada

SHA512
eeef9effab7d3881a8f1850b54bd7b3b06f3272a592de0969709645fab38054a3c1d8704e30108547dd1cea4db24117cafd54f35e7ef88d24296e4dc9c7308f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
198B

MD5
d1c36ea23aabaa0d04ee780d5bfe1dc3

SHA1
4e73a3605cd2e0cb00ca65f4c585b96e590b5b88

SHA256
b4e7c031a6ea1f1317e0944c9fd51c35278c35c963c0afeb127d86100cad06d9

SHA512
500157c019f3c9c66cc68ac978441cec15dcf1fdb53422439d098385bc3261c9d98bb806c36f65b0970053e61d468310eec1dd76d85857cf209630cc0944a0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idc0s0zo.ufc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
198B

MD5
c22c8ab431381a60617f13b90d1376cf

SHA1
c2b71895b18244e5b8a3e2fe6f14b62410b68b8d

SHA256
8e03f63dba2d7405036384531702b7f3e8e41080f147aafe6d6d06c406868b10

SHA512
e8ffcbbfb79e334fbf992a74aed9b98d1f30501baf16e0a5667844c71ff689191ef2f3388e7bb8d607334e40881c5e78313b930a794ce27023bc787d55866865

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
198B

MD5
e159dd80a024ef8da1ba14d8a77aa079

SHA1
2f04398791552a53df1a5add6ae89ff747eed2e5

SHA256
d832ce3797ed7ccff4ae1c9d336f8a5504c59948304284b91f6d8eb9b9c6663a

SHA512
29c19af0557b79bfdf96ed02f3d5f679926cfee595831ba8337742da9ef63e9c8d60bafeaa3d27f4a1dd6607557a80dbccbf949c0900e82c1e94e03a8a14a01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
198B

MD5
2051dab873ec4642930bebcc1b855158

SHA1
031fde8fc6d777b5bed596b5ae33a2ea850825e2

SHA256
a51f175715efc3b2dcb1d7869df90e8ff5cde655447614454c98e556e2d43b40

SHA512
e668446bfa8ebffca355b9dce1d86eb425f04440bc6f4033e5866decae9309a2539e64ffbe66fecf21ea4d6aa0d54be2c8cc5556ef0e8d07a18079e93b982196

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
198B

MD5
a2cb7a00fed9548e6991ea1559b3ed77

SHA1
e2b9be335e1dfe6828990c433da10b87b6e09b9e

SHA256
a3ad3ce41992adc4baf01995a69b005957bd8b4e3d9a238395fc51faf25c844d

SHA512
f624e3418cdcc77b56cd3fd8e31eb527c7424935eda19a6dad04e5b7817206f314e0ec283da4899c6429f02a48eda982917bcbd09768a02c4d8825b1cf3f2fd1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/228-174-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/404-48-0x0000017AB2800000-0x0000017AB2822000-memory.dmp

Filesize
136KB

Download
memory/1168-141-0x0000000002D30000-0x0000000002D42000-memory.dmp

Filesize
72KB

Download
memory/1220-15-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/1220-14-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1220-13-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1220-12-0x00007FF83DA43000-0x00007FF83DA45000-memory.dmp

Filesize
8KB

Download
memory/1220-16-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/1220-17-0x00000000024D0000-0x00000000024DC000-memory.dmp

Filesize
48KB

Download
memory/1816-121-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/2004-148-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/2688-155-0x0000000003280000-0x0000000003292000-memory.dmp

Filesize
72KB

Download
memory/4048-134-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download