dcrat | 41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe
Size

1.3MB
MD5

3d37fb12df580f68104dc2b238308a6e
SHA1

500ee6f2d0b5cba571ae0af87ef1870f0addd201
SHA256

41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8
SHA512

cd9d2c5f641aafea76c30b03cfff5c9520a5375f2eb71e0ed4115b364b11e84dade93746a23b15db6a9f5bf11a55b9596194ece1d27936c010b87a53ea60bcdd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2868	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2868	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000193b8-9.dat	dcrat
behavioral1/memory/2888-13-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/1056-38-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2452-135-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/2168-196-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2288-256-0x0000000000C20000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/memory/840-375-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1352-435-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1692-495-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1608-555-0x0000000000C70000-0x0000000000D80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
548	powershell.exe
3028	powershell.exe
764	powershell.exe
276	powershell.exe
1380	powershell.exe
1792	powershell.exe
2192	powershell.exe
940	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2888	DllCommonsvc.exe
1056	OSPPSVC.exe
2452	OSPPSVC.exe
2168	OSPPSVC.exe
2288	OSPPSVC.exe
2144	OSPPSVC.exe
840	OSPPSVC.exe
1352	OSPPSVC.exe
1692	OSPPSVC.exe
1608	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1892	schtasks.exe
1444	schtasks.exe
2984	schtasks.exe
2128	schtasks.exe
2452	schtasks.exe
2664	schtasks.exe
308	schtasks.exe
2968	schtasks.exe
1516	schtasks.exe
2804	schtasks.exe
2184	schtasks.exe
2668	schtasks.exe
316	schtasks.exe
2372	schtasks.exe
1652	schtasks.exe
2284	schtasks.exe
2696	schtasks.exe
1512	schtasks.exe
972	schtasks.exe
1116	schtasks.exe
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2888	DllCommonsvc.exe
2888	DllCommonsvc.exe
2888	DllCommonsvc.exe
2888	DllCommonsvc.exe
2888	DllCommonsvc.exe
1792	powershell.exe
1380	powershell.exe
940	powershell.exe
276	powershell.exe
3028	powershell.exe
764	powershell.exe
548	powershell.exe
2192	powershell.exe
1056	OSPPSVC.exe
2452	OSPPSVC.exe
2168	OSPPSVC.exe
2288	OSPPSVC.exe
2144	OSPPSVC.exe
840	OSPPSVC.exe
1352	OSPPSVC.exe
1692	OSPPSVC.exe
1608	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	DllCommonsvc.exe
Token: SeDebugPrivilege	1056	OSPPSVC.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2452	OSPPSVC.exe
Token: SeDebugPrivilege	2168	OSPPSVC.exe
Token: SeDebugPrivilege	2288	OSPPSVC.exe
Token: SeDebugPrivilege	2144	OSPPSVC.exe
Token: SeDebugPrivilege	840	OSPPSVC.exe
Token: SeDebugPrivilege	1352	OSPPSVC.exe
Token: SeDebugPrivilege	1692	OSPPSVC.exe
Token: SeDebugPrivilege	1608	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1248	1276	JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe	29
PID 1276 wrote to memory of 1248	1276	JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe	29
PID 1276 wrote to memory of 1248	1276	JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe	29
PID 1276 wrote to memory of 1248	1276	JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe	29
PID 1248 wrote to memory of 2812	1248	WScript.exe	30
PID 1248 wrote to memory of 2812	1248	WScript.exe	30
PID 1248 wrote to memory of 2812	1248	WScript.exe	30
PID 1248 wrote to memory of 2812	1248	WScript.exe	30
PID 2812 wrote to memory of 2888	2812	cmd.exe	32
PID 2812 wrote to memory of 2888	2812	cmd.exe	32
PID 2812 wrote to memory of 2888	2812	cmd.exe	32
PID 2812 wrote to memory of 2888	2812	cmd.exe	32
PID 2888 wrote to memory of 1380	2888	DllCommonsvc.exe	55
PID 2888 wrote to memory of 1380	2888	DllCommonsvc.exe	55
PID 2888 wrote to memory of 1380	2888	DllCommonsvc.exe	55
PID 2888 wrote to memory of 276	2888	DllCommonsvc.exe	56
PID 2888 wrote to memory of 276	2888	DllCommonsvc.exe	56
PID 2888 wrote to memory of 276	2888	DllCommonsvc.exe	56
PID 2888 wrote to memory of 1792	2888	DllCommonsvc.exe	57
PID 2888 wrote to memory of 1792	2888	DllCommonsvc.exe	57
PID 2888 wrote to memory of 1792	2888	DllCommonsvc.exe	57
PID 2888 wrote to memory of 764	2888	DllCommonsvc.exe	58
PID 2888 wrote to memory of 764	2888	DllCommonsvc.exe	58
PID 2888 wrote to memory of 764	2888	DllCommonsvc.exe	58
PID 2888 wrote to memory of 2192	2888	DllCommonsvc.exe	60
PID 2888 wrote to memory of 2192	2888	DllCommonsvc.exe	60
PID 2888 wrote to memory of 2192	2888	DllCommonsvc.exe	60
PID 2888 wrote to memory of 3028	2888	DllCommonsvc.exe	62
PID 2888 wrote to memory of 3028	2888	DllCommonsvc.exe	62
PID 2888 wrote to memory of 3028	2888	DllCommonsvc.exe	62
PID 2888 wrote to memory of 548	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 548	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 548	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 940	2888	DllCommonsvc.exe	64
PID 2888 wrote to memory of 940	2888	DllCommonsvc.exe	64
PID 2888 wrote to memory of 940	2888	DllCommonsvc.exe	64
PID 2888 wrote to memory of 1056	2888	DllCommonsvc.exe	71
PID 2888 wrote to memory of 1056	2888	DllCommonsvc.exe	71
PID 2888 wrote to memory of 1056	2888	DllCommonsvc.exe	71
PID 1056 wrote to memory of 2248	1056	OSPPSVC.exe	72
PID 1056 wrote to memory of 2248	1056	OSPPSVC.exe	72
PID 1056 wrote to memory of 2248	1056	OSPPSVC.exe	72
PID 2248 wrote to memory of 2696	2248	cmd.exe	74
PID 2248 wrote to memory of 2696	2248	cmd.exe	74
PID 2248 wrote to memory of 2696	2248	cmd.exe	74
PID 2248 wrote to memory of 2452	2248	cmd.exe	75
PID 2248 wrote to memory of 2452	2248	cmd.exe	75
PID 2248 wrote to memory of 2452	2248	cmd.exe	75
PID 2452 wrote to memory of 3016	2452	OSPPSVC.exe	76
PID 2452 wrote to memory of 3016	2452	OSPPSVC.exe	76
PID 2452 wrote to memory of 3016	2452	OSPPSVC.exe	76
PID 3016 wrote to memory of 760	3016	cmd.exe	78
PID 3016 wrote to memory of 760	3016	cmd.exe	78
PID 3016 wrote to memory of 760	3016	cmd.exe	78
PID 3016 wrote to memory of 2168	3016	cmd.exe	79
PID 3016 wrote to memory of 2168	3016	cmd.exe	79
PID 3016 wrote to memory of 2168	3016	cmd.exe	79
PID 2168 wrote to memory of 1948	2168	OSPPSVC.exe	80
PID 2168 wrote to memory of 1948	2168	OSPPSVC.exe	80
PID 2168 wrote to memory of 1948	2168	OSPPSVC.exe	80
PID 1948 wrote to memory of 2216	1948	cmd.exe	82
PID 1948 wrote to memory of 2216	1948	cmd.exe	82
PID 1948 wrote to memory of 2216	1948	cmd.exe	82
PID 1948 wrote to memory of 2288	1948	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41b94c39ae0828ac4e49fa6b3e8dbae6b7717ac5c917e989a2672357e4a10ff8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2696
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:760
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2216
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        12⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1720
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        14⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1188
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
        16⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2968
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        18⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2044
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        20⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1952
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"
        22⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691b07315d6c5d88413b01e2156e4e3b

SHA1
0472290ac4711ddff30f720b1291f0322d501851

SHA256
e891b1b3563835524e4c24bc4b122e799c29b3e37e8ced1f4072b04edb4d06a3

SHA512
7599e5f00cb992528212202d82c720d43e9ea5ac6625d97afc256ff8ac305a4575e1c4dfca455930394ef1050ae32e754fc5030865004a8ddaf6ede0070bd986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
affe771ff6156d08212f65a08eaeb9d2

SHA1
94962025f107185609d8f9662f229d5328cc42f6

SHA256
9c34bb8c1335f843a6e9fdb977f0f633cccdb3d4f3d1f73155e85d90693c0624

SHA512
69a205bd7ac2fecf015d74d0159720dd9ee492a5e25ed29e8c8c67c33144cef02745701413b940a998c14a71f0c83d4d6027b86fdb4c3e5116e4e9f2f7309d62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22b0f29a0d4784a3f3c8d69dd3a6eb1b

SHA1
a3472c1f888dfdace52598a96e9f0204a1fa40d8

SHA256
1a45699c3362b39181e40f9c444062ce50a0052f893d88eecd54c2c276708871

SHA512
e2d534e497e0b1b4536b00c3111240476c1442dd4291d2b7e88b0af62a744c4aeee49ca37afabf5b41d5474962ef7b8fada4ef635bb736fc2567b6817ae16142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e7f125edc2f6b9c1173bc337937b0b

SHA1
ceaca5b6abfd02fa836a17490fe5b10b325ba112

SHA256
beb199280dae01e7970df08ec0f416bdc03a5fb328de4a5117f7786d7d691053

SHA512
e39e07cc4f5d990d1e49d50aa447e942063b072608ae2f28100c9f818cbf56833ccc201098641cf1e9afdfb1416973dcd33d69cc07e2703cac2bb02471197d7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3cc04b78eb229f56579e9a4eb80bcdb

SHA1
c6d93da08f23b7dce28184a2f8f963cf25a87edb

SHA256
1124dd904b52b26de2623d33d75c935616ef6d623f4f83779d079a78f49c2f74

SHA512
5b451c5f8398a1561eae5f9c898e98d5a0eca8503c314ddea7722ce8a31fceaa1de14d1b2f17f06c484c8871aeb528546c792c17895ece380a9d34b61ba5b56d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eca8bd1bd6d5f11ff84f0f14f0b3b329

SHA1
5778cc410dd4c68f9523e9a5bf89014f467ecb96

SHA256
01bd53ecf98df8d4a86fbd0b4992a0d34ebcddd70ac175314d4b5db8ee6cf500

SHA512
3a08b30adc006dfdd210e0aa3909fd780fc60dd75f87ea33179717c3f160941f10c2b9070eff0b8efaf5049cad931018872f5a53304d78b40c70106b7411997f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a35dea0649c32668093af9232408f288

SHA1
f8f4eeccf032db81d640ea2ae5e7d857e6907776

SHA256
f5950bcaf6510a2c95e904a8a9f0f90df1907e67d25781361ed77da9b93ed733

SHA512
aa0a4f6a548b77fe58bfe8a301969e8c3b4781402eaefe2183f46891847af1a50e0ed8c9289bd17e32c606d12dfcd7bb63feec39294d611e8b45adafb11a066d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
741eb18de4686cda48c50b1e7ecb9bc0

SHA1
899310613f8c67754ac66a5e07f799592035d150

SHA256
4b69d3219ec849f102b451c1a3327c8e7cd2804f2ada9499f81f68e873603f86

SHA512
0f14eff92383ce13a9d4228bb36cec538abe20cab3374facb25541eff01afb270cf0f33080a923e458b2bdade1027cfe20d510a374ade3ebc7d340f19bd6094a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat

Filesize
225B

MD5
ad9a816d1c8db597ea8c0e29365e2fa4

SHA1
973f47951a1ea174f10712933af7f74ed12e8263

SHA256
c084056e63b2df99c08ef805d80f6ac6f21bc9cc44263cdd4d39a32f47366e82

SHA512
ca6642167c9189b896db4aa64b5d12895e63a6788258f8677543459f847f31f71a4ffd6c07308da34a3024e075d385f6bc66987a543b0f6dffb1396a7778252c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
225B

MD5
8646457338304df2550f63d945dda3c3

SHA1
d75430a0f6f798c8d0903a8547739bc03af2ae4e

SHA256
b215af6493aacf268439988d5ab6fd83823dcf66350d1211fd1b5370dd3bcf50

SHA512
251b1a118b8354cd151990814fc1abe6ec0bdfcf21c61e45e65879a7821705f8fa7fd2b2d56b743f42d7fef77d99aceb0239b4ca259b2e63bf85e78ac3e2af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC573.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
225B

MD5
bba384cd03a9ce6a0695db02360fe27a

SHA1
e5fb30f648c9892d0f972831ba0ce6fbf7be4878

SHA256
9dca0a57250999b94b849da7490cce3e6956298dd14f808996818152472ca8b0

SHA512
9664b292d772e829a00835e02f2c8d421df57d6f879a7f6600f00f24a8c205177f71466a13c5c30cf1de2d1b2891ee40847754d56a57fc128827bf81ccb17286

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC5D4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
225B

MD5
e85b12aab2352e0e9bda2a84f51bcf98

SHA1
a001549d6509827331749277dba9f9fb5b117c71

SHA256
c47a6168af8b7e05ec3a55c64478c36a96508c32bb8837d2179bdccf4fb1a6c3

SHA512
3220b969ebe3cf899bd4d70611b39b82f73938a451a736fd9d1eca9ca9d707cd820f369eaf5e43f3c222d660cfcc0879e5a0c3f1d6d0c56d2cf83bdf04e9344f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
225B

MD5
d53567d8cd9e8b69ae6835ba7dc1c24d

SHA1
37dc504863a1bb34ae40770cdd27d31b41bb4775

SHA256
9975f4f7b8246b16966b667d201f60e75162c768a88809f524f699c623dceb06

SHA512
3007b9863b3b2f73a12c70f37b6840f7c8533b4acdd0e04d9941d6aac1aa8d85498fe9ad3eefe5fdf155a8359851576194b4dea7f30f7d32c90b0fc3a40c9494

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
225B

MD5
2cda757d743a7bd50108338ca61ed9d4

SHA1
8ff46dd00b91b1eb08d5b68c7a87bd793d244bcd

SHA256
93beb3ead3994632e96635aa6601377604eb869a5d73d7bb9ea6beaffb28e8fb

SHA512
8267f4cb7ec0a7c6c80bbc993226689f9911eb52b554513e896f2f248ac5c9054700e3ad1d2c3540beb6407a850e314802eaa8603a4c6d7e6950e7b1e06b657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
225B

MD5
f6577ff2797d1366242390a36eb3076d

SHA1
601eafa63f191a1c4d435cefba18a3c8a040bab1

SHA256
d24bde4b9ebddab3c01db18841abb087d01415fb0d20fa432e9d136ec98d2439

SHA512
c65d5f51e670eb466cd15b1b19b4011bba764cd75148d4c321a7aac78fd6cf5fd51d54c7edda64ec7b02b06896a717f55cafaf12b35b4503e32c202de4acfaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

Filesize
225B

MD5
ff9254ad1b9005880d7a3df475414ee2

SHA1
5fb524db1212e44143c37f87d4f0e282f79ea76d

SHA256
36046c2591d5866e8a0adf7a2ed27128fbdbcd942473f580479a4027acad6bd1

SHA512
f4539bb90db1ea8cff0461cd160388a7fd9c785f58733f9686428f6f3a7a15afb36c0fc2d5481098832ce4facf6f7c13f84ca3a45024cd8f3417cf80bfd64936

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
225B

MD5
a098d11ec1eea6595dc380341b0fd1a4

SHA1
c3715a975564e34d75667233f626dd0c5fa85da8

SHA256
0f25b77fa819190a483d8f5b5b40c27b643165355f32e32da70fbe3c5835d0e9

SHA512
fd56fb8ac461be38821f914b9d036e5f95b34aa41280347abe8d266b2f5d72637b33fc147bac6d157d4e28ee602a04128672b351a0d9f337ba147848cbb5a5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9588e8b75352b8562ead42f6d1936556

SHA1
8a7ae747013d2207e86c7f479ff6384198581762

SHA256
7f6433717ecfffe640ff831d8273c1d0755361df94589cbf46befa812050240b

SHA512
a3709d893ddae6c8f3cf1481b331906091ff349bc678b998f1e4b607c6d0273ca7dce9b9f702398f1346a7052d837215b9c1bdcbe5f31fbdfbbdba4c114a00e3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/276-75-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/840-375-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1056-38-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1352-435-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/1380-76-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1608-556-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1608-555-0x0000000000C70000-0x0000000000D80000-memory.dmp

Filesize
1.1MB

Download
memory/1692-495-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2168-196-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2288-256-0x0000000000C20000-0x0000000000D30000-memory.dmp

Filesize
1.1MB

Download
memory/2452-135-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2452-136-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2888-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2888-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2888-17-0x0000000002010000-0x000000000201C000-memory.dmp

Filesize
48KB

Download
memory/2888-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2888-13-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download