dcrat | 8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe
Size

1.3MB
MD5

73a72d49b5e1529652ac8bb20ebcc2ca
SHA1

9e811f05e33ae78b3b54e33f8a0364d75759ba72
SHA256

8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59
SHA512

725af1e4c1961572eb830e96aab40fe81ab6e16f2cda7b424967747ba9a1dd36135b4109c8a311d5aa507f9c936505f8ad99a4cdf3a2a474cdbfea65a0cc0d0e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2656	schtasks.exe	35

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017403-10.dat	dcrat
behavioral1/memory/2888-13-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2216-44-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/2736-125-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2016-185-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/3040-304-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2652-364-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/1648-424-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/2012-484-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/536-544-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2604-604-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1724-665-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2232-725-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1612	powershell.exe
292	powershell.exe
1440	powershell.exe
2436	powershell.exe
2028	powershell.exe
2032	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2888	DllCommonsvc.exe
2216	lsm.exe
2736	lsm.exe
2016	lsm.exe
2468	lsm.exe
3040	lsm.exe
2652	lsm.exe
1648	lsm.exe
2012	lsm.exe
536	lsm.exe
2604	lsm.exe
1724	lsm.exe
2232	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	cmd.exe
2748	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1868	schtasks.exe
2756	schtasks.exe
2732	schtasks.exe
2636	schtasks.exe
2692	schtasks.exe
2268	schtasks.exe
1960	schtasks.exe
1800	schtasks.exe
1816	schtasks.exe
1944	schtasks.exe
1300	schtasks.exe
2164	schtasks.exe
1956	schtasks.exe
2444	schtasks.exe
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2888	DllCommonsvc.exe
2436	powershell.exe
1440	powershell.exe
1612	powershell.exe
292	powershell.exe
2028	powershell.exe
2032	powershell.exe
2216	lsm.exe
2736	lsm.exe
2016	lsm.exe
2468	lsm.exe
3040	lsm.exe
2652	lsm.exe
1648	lsm.exe
2012	lsm.exe
536	lsm.exe
2604	lsm.exe
1724	lsm.exe
2232	lsm.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	DllCommonsvc.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2216	lsm.exe
Token: SeDebugPrivilege	2736	lsm.exe
Token: SeDebugPrivilege	2016	lsm.exe
Token: SeDebugPrivilege	2468	lsm.exe
Token: SeDebugPrivilege	3040	lsm.exe
Token: SeDebugPrivilege	2652	lsm.exe
Token: SeDebugPrivilege	1648	lsm.exe
Token: SeDebugPrivilege	2012	lsm.exe
Token: SeDebugPrivilege	536	lsm.exe
Token: SeDebugPrivilege	2604	lsm.exe
Token: SeDebugPrivilege	1724	lsm.exe
Token: SeDebugPrivilege	2232	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2084	2420	JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe	30
PID 2420 wrote to memory of 2084	2420	JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe	30
PID 2420 wrote to memory of 2084	2420	JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe	30
PID 2420 wrote to memory of 2084	2420	JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe	30
PID 2084 wrote to memory of 2748	2084	WScript.exe	32
PID 2084 wrote to memory of 2748	2084	WScript.exe	32
PID 2084 wrote to memory of 2748	2084	WScript.exe	32
PID 2084 wrote to memory of 2748	2084	WScript.exe	32
PID 2748 wrote to memory of 2888	2748	cmd.exe	34
PID 2748 wrote to memory of 2888	2748	cmd.exe	34
PID 2748 wrote to memory of 2888	2748	cmd.exe	34
PID 2748 wrote to memory of 2888	2748	cmd.exe	34
PID 2888 wrote to memory of 1612	2888	DllCommonsvc.exe	51
PID 2888 wrote to memory of 1612	2888	DllCommonsvc.exe	51
PID 2888 wrote to memory of 1612	2888	DllCommonsvc.exe	51
PID 2888 wrote to memory of 292	2888	DllCommonsvc.exe	52
PID 2888 wrote to memory of 292	2888	DllCommonsvc.exe	52
PID 2888 wrote to memory of 292	2888	DllCommonsvc.exe	52
PID 2888 wrote to memory of 2028	2888	DllCommonsvc.exe	53
PID 2888 wrote to memory of 2028	2888	DllCommonsvc.exe	53
PID 2888 wrote to memory of 2028	2888	DllCommonsvc.exe	53
PID 2888 wrote to memory of 1440	2888	DllCommonsvc.exe	54
PID 2888 wrote to memory of 1440	2888	DllCommonsvc.exe	54
PID 2888 wrote to memory of 1440	2888	DllCommonsvc.exe	54
PID 2888 wrote to memory of 2436	2888	DllCommonsvc.exe	55
PID 2888 wrote to memory of 2436	2888	DllCommonsvc.exe	55
PID 2888 wrote to memory of 2436	2888	DllCommonsvc.exe	55
PID 2888 wrote to memory of 2032	2888	DllCommonsvc.exe	56
PID 2888 wrote to memory of 2032	2888	DllCommonsvc.exe	56
PID 2888 wrote to memory of 2032	2888	DllCommonsvc.exe	56
PID 2888 wrote to memory of 2216	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 2216	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 2216	2888	DllCommonsvc.exe	63
PID 2216 wrote to memory of 2412	2216	lsm.exe	64
PID 2216 wrote to memory of 2412	2216	lsm.exe	64
PID 2216 wrote to memory of 2412	2216	lsm.exe	64
PID 2412 wrote to memory of 2704	2412	cmd.exe	66
PID 2412 wrote to memory of 2704	2412	cmd.exe	66
PID 2412 wrote to memory of 2704	2412	cmd.exe	66
PID 2412 wrote to memory of 2736	2412	cmd.exe	67
PID 2412 wrote to memory of 2736	2412	cmd.exe	67
PID 2412 wrote to memory of 2736	2412	cmd.exe	67
PID 2736 wrote to memory of 1760	2736	lsm.exe	68
PID 2736 wrote to memory of 1760	2736	lsm.exe	68
PID 2736 wrote to memory of 1760	2736	lsm.exe	68
PID 1760 wrote to memory of 1692	1760	cmd.exe	70
PID 1760 wrote to memory of 1692	1760	cmd.exe	70
PID 1760 wrote to memory of 1692	1760	cmd.exe	70
PID 1760 wrote to memory of 2016	1760	cmd.exe	71
PID 1760 wrote to memory of 2016	1760	cmd.exe	71
PID 1760 wrote to memory of 2016	1760	cmd.exe	71
PID 2016 wrote to memory of 3060	2016	lsm.exe	72
PID 2016 wrote to memory of 3060	2016	lsm.exe	72
PID 2016 wrote to memory of 3060	2016	lsm.exe	72
PID 3060 wrote to memory of 1204	3060	cmd.exe	74
PID 3060 wrote to memory of 1204	3060	cmd.exe	74
PID 3060 wrote to memory of 1204	3060	cmd.exe	74
PID 3060 wrote to memory of 2468	3060	cmd.exe	75
PID 3060 wrote to memory of 2468	3060	cmd.exe	75
PID 3060 wrote to memory of 2468	3060	cmd.exe	75
PID 2468 wrote to memory of 2992	2468	lsm.exe	76
PID 2468 wrote to memory of 2992	2468	lsm.exe	76
PID 2468 wrote to memory of 2992	2468	lsm.exe	76
PID 2992 wrote to memory of 2240	2992	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8299222ff759db1a4dd8b64eec6ae280ffabb6b2cb56054a83b0feed39dc2a59.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2704
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1692
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1204
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2240
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
        14⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1532
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        16⤵
        
        PID:900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2484
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        18⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2352
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        20⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2956
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        22⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2736
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
        24⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:592
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        26⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2008
        
        C:\Program Files\Windows Portable Devices\lsm.exe
        
        "C:\Program Files\Windows Portable Devices\lsm.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64314f3a6bce1606dd0bbd41bae73d9d

SHA1
85d48327ec7abee03851d0a34fe444d698c8e988

SHA256
f179dc8cef1b313f96ec191580b50d763f78e6731e92bf013e6b7ce01901f54d

SHA512
2b5b133cbabff1fb009b335be91802943b2d8163eb30f67ef9eda5fdf8f98b2220988331d70428120421f5db97c36d3e0abed774fa7e05392227775a7b3408ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cda87d2c21b4d71d6e4870903544ca3

SHA1
48f6750ea1f964f2ae0c6c84ebcb71cf650b2589

SHA256
d356e715e5d686de1a7d79bd71a0374abb5e8913c02051f9982f38de3c99b413

SHA512
832879ed9dce6da8645a7f3c416b9e0af01814c104095e1519801de17c6d3ddd054c3ffaed4cabf6b338eb355afcb01dd0d3f19a4b22ff22dff2e492ac4a64a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01217792ba5b321c75d375f3b31a6383

SHA1
500d796bdfb64444546e881993a2f35d312703d8

SHA256
92c3ea892efbddb9b2db8e02c2741e65fda6d36c028eaf58a6d10c6617234151

SHA512
4fe521bb9d96e06956a585655e531366fa4c3e3b43ccd88f6bbef35de66a7b3fb2ffbea40d07ffc6d03721e1db494bdfc5d615c5b002b0331251973ab58b6bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2807a16202a12056f86debfc26b6fb1

SHA1
78cce082cffea695ab5b675f6b1cf5ec8aff9a4f

SHA256
dcb0ad349e052f469f79e0052c0173512ba0416d37d6abb118af40f577f4151d

SHA512
a0bce0917772698f3221bafb2f13171034ec501101180a73df2739ce65d7de670c392b009ef5b44e023e5472869d33ee4a15de35f8b6ef9bc89c2e47ce9b0997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36fc2a91d33aedfc5a24b671db54ede4

SHA1
1b7398bfaf91be0fde4094645601cbfcff0fceda

SHA256
1eab58473fb198b95c3c19e77e57fcda39c85b3ef065585ea48716fb43609f3d

SHA512
a21a3efc01e3e3988fe509a5f59266640c7afdcb70d01d47137ac1195453d9ad7e15251a5a05ba145bd6db752a86aa18414dcca90d60c74f24434b9e7b29ef36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54c116552321d929e5e4a780e025486a

SHA1
d5248f7a74375f51a84a5700fa9ff1335ac8afa4

SHA256
996daa75fcdfcd6bb83a39e20556161cdfa77a60d80f570c07feddc0703a36e2

SHA512
5ca07f5031d11c32a9f8f5424e16a056a7078c7d3ec63cb93174f3d11cbad57c52e76a0cc0411625ca4228ff2cd73c227bd2ced99ba2793206af02e2c004a104

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc12dd5d58e2b315af81e7ed99fd6fe8

SHA1
916e5e52609b9c731fc47f8baec560109299216a

SHA256
76967098dafbebade9ca64a12dfe921ae70c9d9d3c36ac80cc9bbd22de0b9c21

SHA512
8cc312e0ea81eb5f25322b325d7cb7c79737e95d12becc8323e679d2164e0a9022fd2274a87d9d9f280f1dc54b7383ab353b0f8f3369f57b961488b69e34bf0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1242ad648b5f0ff84ec42708b2b8e95b

SHA1
6b8c0f343b83c2d868edc29a92dc50387f00ea59

SHA256
ce7e154929d946b63a573a17294c9cd6d669b802f08c383da8656e1823f18f70

SHA512
e3367fff32f8d4e3ce41c6c4620de8aa0300828bded47b2498d0c7e2acd3d0cae80f305a9debc1d3cc2472881da1d9dd4e818be4625e1ce6319b82d2efbb2db6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4479860bcfc59e90fce513e263c4fda4

SHA1
6cdc5bbd015db921b74cd852321f5fa4d0805ca5

SHA256
728d04c9070df682ae46e4183968011374e94614d692b686b4747bfc304bc080

SHA512
e9e00a6be9ec6da2c36199d92ed656b8dfbac4dae62a0c1dea6df914ac6f2fa5c926a9e58d45a4680f4b1b99f1f1f9911d425449fe0c1d137c262c83024ed02f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8656ad6f5f5ef3c1aa70af6317e8adb0

SHA1
aaa2a54f2e31e8e5715358da8935340bb0086066

SHA256
3df7f3a869d5ce0b6436bee884cd5a78600fdf3f67813e20598f7282db60942a

SHA512
51e76f7470711f49007aa73cfaccafdf7594a3135d4f57bf4dbecf3f22cf319225486218f21d52c4c4005aeda3c89c22d07f2bae2894a0066d2b78cfa215c265

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
214B

MD5
ddffc455e321431fde28cc42439791aa

SHA1
f4799200290d2f64d532ff03575fd5f955a20d9a

SHA256
9d2d0ee55fbb00668c22efc715eb815b04b33b70b50e16573c7722390118707e

SHA512
e00c760c2475dba6dedcb59b52546c2f8240f564e4e03f5d6c84aa02c78af1db94d7c9277730f8bc12e77cdbfbd987b3de01dc8930daba1b52b1991cfc7a88ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
214B

MD5
0019bff01447229c9615b74399ebd1a2

SHA1
34d711a64d0b9edc526d1e1a980248b6feac1d5f

SHA256
88cbd407037a0b2ce27410745b0b7f5b1aaefcbef816df579045f7a9b74ff980

SHA512
ca05cfb61d2cc4bf3da39aac687f1a4a9a1b2b7620290a5f67cfb3ee0d6ac765b1e7c4516090e1ca5477592b3b5b163a6e219e5dab39b427e40d4400b0922d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE9F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

Filesize
214B

MD5
584c0f994ccbe28d9d9e13d315d7fdc0

SHA1
2abedc293d2e81afced551609750c88890a0d358

SHA256
d58c489e338433b0cfa0518f1ac31271d83785cb6fdef3c04dec56d95d4dc15d

SHA512
239ecdfe38cd7e6b62cc1e965a695a26de159edfcd7db375e87a8fe41e7e65e81de4f51775ab8c120efdbafbfa4bf503ad475f978af3ae280a7f4c62c4d511d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
214B

MD5
64f9e8fe9bc95d22ad63eac808af13e2

SHA1
86954dfce178cf4ddf909441ddcdef4118e3ab58

SHA256
acde6982ea367d7ddb60b9e1f08f1487937cfda84d8f727b7734ac92fde55a75

SHA512
760edf137ea348f30e17890bb00276a8d362b1a819c80ca82e50d5528977b63c0e7f63547a30885dcbf041f56756f5feb59e83f21b42c6994642dad5cf9d369e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
214B

MD5
769dac191555200466634f489f120fa7

SHA1
971a69ef11924a62c060f8b4ab5f4a9f72821607

SHA256
9425eefb82e5be34d1b97206e5adf09f5a56c49d2d50050043704013270e6de9

SHA512
6390815127bac2091d2b191083672d541222e3036c27e1be8e240ab97eaeb570b9081ded3826935fb8192511c60da9b77fd6ca4270e0c20a89924f235a9b13a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
214B

MD5
e0249bada48c3d3264a33f8b96e52885

SHA1
8bdd9776b6dc8764ff376e65ed2b06e97c503733

SHA256
14333984c5e1410be3156021b786a79980f06277c2dcb8d5f0175be21268e3e5

SHA512
9de681cd1382e349f537bff194134c95f529f20b5bb0a579b186654804d339b5640b64e4bca8da1bc51cbc792beae923c9b4c23b17140d10993e4266b25f82ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA16.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
214B

MD5
ce066b6db68c5220ab35015aa070d653

SHA1
f3dc947e1f797d8baba24c175c758bc86d79e688

SHA256
1fb93cc4caa7d5dd3d172e0e5623f3c84c5c38180c703a0391ba553eb1bb8ccd

SHA512
10b1230d8f7855b60f55d6ab317dd9c6aff18cf4b20f4143de802fc4a9843f124e48f3c13c7827fdfb23a557ef228621ab7f265d160d01a17b82a6f378a37eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
214B

MD5
a57d8baf82c5e5c98461f3bb7cda3a72

SHA1
34e47ac97d9853d43810935d691fc04885982ba9

SHA256
201586e538a6887ef8254afab0c13da2c8b53164c84fc63f31db942c98758e90

SHA512
6dd7ff9e7a6d825808b5d58a18cbf2ad2c6ae718779d94a0074f52544bb3cb48a28015c5ac27fe1793afbd420b1361db47fb11ac7ecf75e5da9a48f1bc80c2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
214B

MD5
7d53abdddef08cefd471e7f6fbb09825

SHA1
55910f5f3c2650b1e8214bd1c1493c5993a299cc

SHA256
ac0e2d6279eff013619d319234154d9a92266f2bea36c2434e44563ed97132c3

SHA512
828d3d2b72b37d4849b58349f967a8751ef94fbbcf17aeb29e67b0dd7a5cd4abc571af7ce958299dbac37e235cb80f089158d404bb34d6d8e25ffec76926bb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

Filesize
214B

MD5
d9a5f1212a8817bae07486314d60de97

SHA1
9e80f60564979a063e1511a0ed9dfda4352f88da

SHA256
fdd1c567104290d170c9c2f7d9567cd76092fc4871416318e4ab704867262f0a

SHA512
c50538f3c19381a1fe151f243558732471b8af3feebb38450f283edf7869bede3f82fa12ac2fb3dae72b9f3dd2686dde0fb2ccc4dc06693ad3800a824aa31b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
214B

MD5
c6b5ef1695fbb25bc638ee93a185b46a

SHA1
fa2ec9608390882d285393ca49ce498c17b79740

SHA256
2e67192dd99cb440d41a7d3808230f037b14a8182dbd90ec182acbd454a4bac5

SHA512
c370d1e49fc027e7562f9ba008af1be396dd8c75b8ffd0b6bb00ddca2b8e96c1391a245838207fa576244ed731e1c3cda2769fde3ddf4dfc43b57460da439988

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
35c56b712cca0688b9227902c775c581

SHA1
e65678368afcb80f3662ebb64cd385ca88775b80

SHA256
535126ab42be203af628029514c1c6f4523c1654a77b12e554dc49e8147a7a57

SHA512
48a34ebb90cab43d30b0807b7264fd86c150723c865c92167ede76fa794ebc19e9276baa62a116a4d5cc5ebbaffc8f4df5d894113776a24ca12b8de6971f7230

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-544-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/1648-424-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/1724-665-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2012-484-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2016-185-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2216-44-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/2216-66-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2232-725-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2436-39-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2436-40-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2604-604-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-605-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2652-364-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2736-125-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2888-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2888-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2888-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2888-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2888-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/3040-304-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download