dcrat | 0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
Size

1.3MB
MD5

b372992b3eb60f47235583e06889bb24
SHA1

e0fd86a13d82337cf3f6f3da1c7dba54367c395c
SHA256

0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2
SHA512

51fa6d56412735148348c358eceedba2cf5e013468d5e35f09cc1fa0680482655ddfeeef0659a52dd1d157f81f4729047cbeebf390ea27d2ebf352988b9b3bf1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3900	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b92-9.dat	dcrat
behavioral2/memory/2080-13-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
512	powershell.exe
224	powershell.exe
2668	powershell.exe
1104	powershell.exe
840	powershell.exe
2496	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 15 IoCs

pid	Process
2080	DllCommonsvc.exe
1808	services.exe
2028	services.exe
1972	services.exe
1176	services.exe
1928	services.exe
4440	services.exe
1676	services.exe
3776	services.exe
2096	services.exe
2912	services.exe
4860	services.exe
3152	services.exe
4984	services.exe
4820	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
16	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
53	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com
35	raw.githubusercontent.com
43	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4684	schtasks.exe
396	schtasks.exe
3028	schtasks.exe
2572	schtasks.exe
3116	schtasks.exe
2036	schtasks.exe
3136	schtasks.exe
2272	schtasks.exe
4528	schtasks.exe
2452	schtasks.exe
2380	schtasks.exe
2024	schtasks.exe
5052	schtasks.exe
3388	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2080	DllCommonsvc.exe
2080	DllCommonsvc.exe
2080	DllCommonsvc.exe
224	powershell.exe
840	powershell.exe
2496	powershell.exe
1104	powershell.exe
2668	powershell.exe
512	powershell.exe
1808	services.exe
224	powershell.exe
840	powershell.exe
2496	powershell.exe
1104	powershell.exe
2668	powershell.exe
512	powershell.exe
2028	services.exe
1972	services.exe
1176	services.exe
1928	services.exe
4440	services.exe
1676	services.exe
3776	services.exe
2096	services.exe
2912	services.exe
4860	services.exe
3152	services.exe
4984	services.exe
4820	services.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	DllCommonsvc.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1808	services.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	2028	services.exe
Token: SeDebugPrivilege	1972	services.exe
Token: SeDebugPrivilege	1176	services.exe
Token: SeDebugPrivilege	1928	services.exe
Token: SeDebugPrivilege	4440	services.exe
Token: SeDebugPrivilege	1676	services.exe
Token: SeDebugPrivilege	3776	services.exe
Token: SeDebugPrivilege	2096	services.exe
Token: SeDebugPrivilege	2912	services.exe
Token: SeDebugPrivilege	4860	services.exe
Token: SeDebugPrivilege	3152	services.exe
Token: SeDebugPrivilege	4984	services.exe
Token: SeDebugPrivilege	4820	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2700	3576	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	84
PID 3576 wrote to memory of 2700	3576	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	84
PID 3576 wrote to memory of 2700	3576	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	84
PID 2700 wrote to memory of 2456	2700	WScript.exe	86
PID 2700 wrote to memory of 2456	2700	WScript.exe	86
PID 2700 wrote to memory of 2456	2700	WScript.exe	86
PID 2456 wrote to memory of 2080	2456	cmd.exe	88
PID 2456 wrote to memory of 2080	2456	cmd.exe	88
PID 2080 wrote to memory of 512	2080	DllCommonsvc.exe	106
PID 2080 wrote to memory of 512	2080	DllCommonsvc.exe	106
PID 2080 wrote to memory of 224	2080	DllCommonsvc.exe	107
PID 2080 wrote to memory of 224	2080	DllCommonsvc.exe	107
PID 2080 wrote to memory of 840	2080	DllCommonsvc.exe	108
PID 2080 wrote to memory of 840	2080	DllCommonsvc.exe	108
PID 2080 wrote to memory of 2668	2080	DllCommonsvc.exe	109
PID 2080 wrote to memory of 2668	2080	DllCommonsvc.exe	109
PID 2080 wrote to memory of 1104	2080	DllCommonsvc.exe	110
PID 2080 wrote to memory of 1104	2080	DllCommonsvc.exe	110
PID 2080 wrote to memory of 2496	2080	DllCommonsvc.exe	111
PID 2080 wrote to memory of 2496	2080	DllCommonsvc.exe	111
PID 2080 wrote to memory of 1808	2080	DllCommonsvc.exe	118
PID 2080 wrote to memory of 1808	2080	DllCommonsvc.exe	118
PID 1808 wrote to memory of 2036	1808	services.exe	127
PID 1808 wrote to memory of 2036	1808	services.exe	127
PID 2036 wrote to memory of 2476	2036	cmd.exe	129
PID 2036 wrote to memory of 2476	2036	cmd.exe	129
PID 2036 wrote to memory of 2028	2036	cmd.exe	135
PID 2036 wrote to memory of 2028	2036	cmd.exe	135
PID 2028 wrote to memory of 1028	2028	services.exe	137
PID 2028 wrote to memory of 1028	2028	services.exe	137
PID 1028 wrote to memory of 4488	1028	cmd.exe	139
PID 1028 wrote to memory of 4488	1028	cmd.exe	139
PID 1028 wrote to memory of 1972	1028	cmd.exe	141
PID 1028 wrote to memory of 1972	1028	cmd.exe	141
PID 1972 wrote to memory of 3980	1972	services.exe	146
PID 1972 wrote to memory of 3980	1972	services.exe	146
PID 3980 wrote to memory of 1488	3980	cmd.exe	148
PID 3980 wrote to memory of 1488	3980	cmd.exe	148
PID 3980 wrote to memory of 1176	3980	cmd.exe	150
PID 3980 wrote to memory of 1176	3980	cmd.exe	150
PID 1176 wrote to memory of 4260	1176	services.exe	152
PID 1176 wrote to memory of 4260	1176	services.exe	152
PID 4260 wrote to memory of 4572	4260	cmd.exe	154
PID 4260 wrote to memory of 4572	4260	cmd.exe	154
PID 4260 wrote to memory of 1928	4260	cmd.exe	156
PID 4260 wrote to memory of 1928	4260	cmd.exe	156
PID 1928 wrote to memory of 1808	1928	services.exe	158
PID 1928 wrote to memory of 1808	1928	services.exe	158
PID 1808 wrote to memory of 2380	1808	cmd.exe	160
PID 1808 wrote to memory of 2380	1808	cmd.exe	160
PID 1808 wrote to memory of 4440	1808	cmd.exe	162
PID 1808 wrote to memory of 4440	1808	cmd.exe	162
PID 4440 wrote to memory of 3992	4440	services.exe	164
PID 4440 wrote to memory of 3992	4440	services.exe	164
PID 3992 wrote to memory of 1444	3992	cmd.exe	166
PID 3992 wrote to memory of 1444	3992	cmd.exe	166
PID 3992 wrote to memory of 1676	3992	cmd.exe	168
PID 3992 wrote to memory of 1676	3992	cmd.exe	168
PID 1676 wrote to memory of 3080	1676	services.exe	170
PID 1676 wrote to memory of 3080	1676	services.exe	170
PID 3080 wrote to memory of 2832	3080	cmd.exe	172
PID 3080 wrote to memory of 2832	3080	cmd.exe	172
PID 3080 wrote to memory of 3776	3080	cmd.exe	174
PID 3080 wrote to memory of 3776	3080	cmd.exe	174

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2476
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4488
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1488
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4572
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2380
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1444
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2832
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
        20⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3452
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        22⤵
        
        PID:3336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4572
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        24⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:440
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        26⤵
        
        PID:4440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2408
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        28⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4428
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
        30⤵
        
        PID:4688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3708
        
        C:\Users\Default\services.exe
        
        "C:\Users\Default\services.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
194B

MD5
9d06a0b68dc3637d32697cf99e26e6d3

SHA1
b264bb0e5372271e5b0db909f6ea8cb7c0b12bd3

SHA256
40f939d661f1dc1fa36fea0e7fed7a27f965de7bf61d18abff42cf3f6db01c75

SHA512
17343cc06adbf2edba203e587e14c6b1075b635b4a43944840ded7ec7483444e38feebbc0870c3ff2f4299f3d0b6563eddab1d67579f53dece1322a5d0b8e268

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

Filesize
194B

MD5
fb5fcc1fa3f3daf53951108e3ba00f9a

SHA1
f6a371842c249556c6e46da8ed5990ae66499868

SHA256
7154936a887c8162ce50af66c75cb232b2cfcb7dac8b36bc8ebfbad03029bb3b

SHA512
f15df98f105c7258196df005a85ee8d8b9ef58a5f1de184af55f55ed26624a33f056fa5f205fb8ec78621a3b118da9079edfb62691ec629a9969966c29c9d38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
194B

MD5
616e9df38b85b1d100b14d770d02d59c

SHA1
460d0dfd65fe87d0898149a118432c061b634067

SHA256
76711f77512ff20d4d4f57c2ceeb52e08dcd5e53a83f819b19f48603749cfc3d

SHA512
a244508428f9b46cbea23f94973acd2a1b4051b936c9e98c99b658b340375a3e916bae7aabc7b76c0360b8c216fad5c3e8e4a3d70926069fa2839652f8826e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
194B

MD5
08b99610960fe5df40c925200a8e57d7

SHA1
20a1d4436f0dba8fde91bd41855555d54cb51388

SHA256
34feb620b2f7dd456a4c2dea0129789fccf600f8da2ee4c8202ed11efcdcf977

SHA512
31b8ae6a2c9827a4a3cf35a323c093a07e1ec3d22f16513da77633684f664d4bd4a17f99228a88def103735afb0f10d8365fda77a6734e04d84b370e0e70a8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

Filesize
194B

MD5
5939345f33eff01d4c1b91ae05576cae

SHA1
4fd032647fb818ed45a12f938d8d686f57d1eb89

SHA256
93b174f035f07c47e2ae186d95bce35fee4c7a6f7900cd29953f472003c21189

SHA512
f19e5af9f2e62105b517949fd1cbd1ddcd6e583696a07b47712e410355303d93859c74d70a11b41153eff811a43e63f6c11506af64b28bbcbded786b81d24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
194B

MD5
cc51f58877673fa6d7e64271ebd87c68

SHA1
f8082faded2497fdbf4e5ff9109de75ef3afa25e

SHA256
e5eb2ae9b75b9a50a9dfa5aecdfc884e7dc5c619314953c53754e90b30345978

SHA512
d7c71d3bebc584e63533c915eb17064420c183ee6e33b3307339b84940f7e295c6f4e118b3009707bab184df51c68464123c9660782d08479cc2536723aff120

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

Filesize
194B

MD5
09d7317ee2abede3586870ca68f1ede1

SHA1
03d9e84998e21d383de251153b3c653b6d6210ab

SHA256
4ba8d5c869d7a44a1f22e74ec83e1d2e3a84ee50b7b902061e2121fb77c6c9de

SHA512
ca62b5ffa7c256834eac03780be759fdd5fe910867e44ea5bb746c2dcd6fbac291efc504da913acba4cc2f41b2e318e053ed95b8816ff4bbed2fa200617864ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

Filesize
194B

MD5
09a4990c9ac81f66f8cb68181193fd21

SHA1
8896111701f9b3e90b84a3bbc7c9b9ce27f4ba16

SHA256
a498c32197a445d8e934502ce61adc1b3221d8585a9690d0545b6fef05f09145

SHA512
be4e7ae738e05df7226fdf00002a7fe92ebd4e4d91e81373c59e8f249cb379488363c2259a9260727f4aacaefc682b9942ba9730ace5a1179b5f183a818d3ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pprqyaz.sjg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
194B

MD5
8094512255ff8ad5ee31976d54d216a8

SHA1
d82db76916eb66f8ac7023403caa61725b3dfdb3

SHA256
9e8670df33849c0f58a94b9430386d5c0c970d4f307da24431289782da70d38c

SHA512
13021b0b8601faf4ebfeb54c471971aa1b6978783cc3adc5c62a74de3a67c51a9732f19f9358f009ebf66a65a96a15554c895804d6e922583177d5bd4299249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

Filesize
194B

MD5
66dda91845d7c25158d3bf7b9eb5e55e

SHA1
c73b1d6f8218c17ba1fa1c56cf1590a2c17d33f2

SHA256
b9eb10962a2ac7a0fafa3ea80a1459c461dc5b553eecdab170463e09650cdb44

SHA512
827f06b7698ef149158eeed3467e69151ee0c7e47cc3018be222937500b82415f9cc1ec50258f2aaa34a8d36bd1b69ea8058343c06b2eb343c26cf5a78288f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
194B

MD5
15bce2889316b2e7662980851b97b84b

SHA1
dbba451d817cc7f25990b88ebcf95ec48db695e2

SHA256
27919959b9690985d2f2d17796d215f0eb52ab8582bece3841ae1023b0597bee

SHA512
e2f9d09bf9c2e7de0d3680bd444f8fb0963e0c54477a01eea83b12bb2b0a5752f04fb9c6edaeab30314dbcd689a5307b5cd95c752c24f3b3e6c677ac58de7732

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
194B

MD5
aedc6aa8379ab19b0199f44f78447b51

SHA1
2d51d8cc0978928d187a3356e9f02130eff3efa6

SHA256
b25bf3893d216aa07359de9373985b28a6b511d17e1c1579a6c0be9bdfec5326

SHA512
580b7d1391c26594fae6796a9cb1e6cc4dc08ef7dac4588d8b4f17a75395aa2d2a701b8e4cbe6acf9acc00812cf7caf9188fa57a1add8f744f9daddb8ef7686e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/224-44-0x000001C9421E0000-0x000001C942202000-memory.dmp

Filesize
136KB

Download
memory/1176-133-0x000000001D900000-0x000000001DA02000-memory.dmp

Filesize
1.0MB

Download
memory/1676-155-0x000000001CF00000-0x000000001D002000-memory.dmp

Filesize
1.0MB

Download
memory/1808-85-0x000000001D700000-0x000000001D712000-memory.dmp

Filesize
72KB

Download
memory/1928-140-0x000000001D320000-0x000000001D422000-memory.dmp

Filesize
1.0MB

Download
memory/1972-126-0x000000001CC00000-0x000000001CD02000-memory.dmp

Filesize
1.0MB

Download
memory/2080-16-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2080-17-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2080-15-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2080-14-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2080-13-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-12-0x00007FFD411C3000-0x00007FFD411C5000-memory.dmp

Filesize
8KB

Download
memory/2912-170-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/3152-184-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download
memory/3776-157-0x00000000019F0000-0x0000000001A02000-memory.dmp

Filesize
72KB

Download
memory/4440-147-0x000000001D130000-0x000000001D232000-memory.dmp

Filesize
1.0MB

Download
memory/4860-177-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download