dcrat | 946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d1551fcb92caa336745b275ea357187.exe
Size

2.7MB
MD5

3d1551fcb92caa336745b275ea357187
SHA1

38b8fe4cee22237d34cf27974edd82d1105c6bac
SHA256

946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af
SHA512

b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a
SSDEEP

49152:BBZnUTbk3+q5cyOycEFE/7mdpDsDCtlToe7AhexA7s6Sjaw3mQf:BBZnUe+q5cyONzopoWt9oezxq83

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1068	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1584-55-0x000000001B460000-0x000000001B568000-memory.dmp	dcrat

Executes dropped EXE 7 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid process

600 taskhost.exe
1992 taskhost.exe
536 taskhost.exe
1884 taskhost.exe
1484 taskhost.exe
816 taskhost.exe
1080 taskhost.exe

pid	process
600	taskhost.exe
1992	taskhost.exe
536	taskhost.exe
1884	taskhost.exe
1484	taskhost.exe
816	taskhost.exe
1080	taskhost.exe

Drops file in Program Files directory 14 IoCs

Processes:

3d1551fcb92caa336745b275ea357187.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\6203df4a6bafc7	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Java\jre7\csrss.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Java\jre7\886983d96e3d3e	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Windows Photo Viewer\cc11b995f2a76d	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\b75386f1303e64	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Microsoft Office\Office14\smss.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files (x86)\Microsoft Office\lsass.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\6d9401f6ac4d67	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Windows Photo Viewer\winlogon.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files\Microsoft Office\Office14\69ddcba757bf72	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\f3b6ecef712a24	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\3d1551fcb92caa336745b275ea357187.exe	3d1551fcb92caa336745b275ea357187.exe

Drops file in Windows directory 9 IoCs

Processes:

3d1551fcb92caa336745b275ea357187.exe

description	ioc	process
File created	C:\Windows\system\wininit.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\RemotePackages\RemoteApps\explorer.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\Web\Wallpaper\27d1bcfc3c54e0	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\Web\cc11b995f2a76d	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\servicing\es-ES\Idle.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\system\56085415360792	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\RemotePackages\RemoteApps\7a0fd90576e088	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\Web\Wallpaper\System.exe	3d1551fcb92caa336745b275ea357187.exe
File created	C:\Windows\Web\winlogon.exe	3d1551fcb92caa336745b275ea357187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
520	schtasks.exe
1872	schtasks.exe
1372	schtasks.exe
1088	schtasks.exe
1292	schtasks.exe
1364	schtasks.exe
1860	schtasks.exe
1088	schtasks.exe
2008	schtasks.exe
280	schtasks.exe
864	schtasks.exe
1696	schtasks.exe
1544	schtasks.exe
1132	schtasks.exe
1064	schtasks.exe
1368	schtasks.exe
2020	schtasks.exe
568	schtasks.exe
1680	schtasks.exe
1796	schtasks.exe
1644	schtasks.exe
1636	schtasks.exe
1748	schtasks.exe
1948	schtasks.exe
1804	schtasks.exe
1744	schtasks.exe
760	schtasks.exe
1912	schtasks.exe
1600	schtasks.exe
1740	schtasks.exe
856	schtasks.exe
536	schtasks.exe
108	schtasks.exe
564	schtasks.exe
948	schtasks.exe
636	schtasks.exe
1484	schtasks.exe
1516	schtasks.exe
1544	schtasks.exe
1128	schtasks.exe
612	schtasks.exe
468	schtasks.exe
1784	schtasks.exe
920	schtasks.exe
1816	schtasks.exe
1056	schtasks.exe
988	schtasks.exe
1368	schtasks.exe
1784	schtasks.exe
1116	schtasks.exe
1080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

3d1551fcb92caa336745b275ea357187.exe3d1551fcb92caa336745b275ea357187.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
1584	3d1551fcb92caa336745b275ea357187.exe
1968	3d1551fcb92caa336745b275ea357187.exe
1968	3d1551fcb92caa336745b275ea357187.exe
1968	3d1551fcb92caa336745b275ea357187.exe
600	taskhost.exe
1992	taskhost.exe
536	taskhost.exe
1884	taskhost.exe
1484	taskhost.exe
816	taskhost.exe
1080	taskhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

3d1551fcb92caa336745b275ea357187.exe3d1551fcb92caa336745b275ea357187.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1584	3d1551fcb92caa336745b275ea357187.exe
Token: SeDebugPrivilege	1968	3d1551fcb92caa336745b275ea357187.exe
Token: SeDebugPrivilege	600	taskhost.exe
Token: SeDebugPrivilege	1992	taskhost.exe
Token: SeDebugPrivilege	536	taskhost.exe
Token: SeDebugPrivilege	1884	taskhost.exe
Token: SeDebugPrivilege	1484	taskhost.exe
Token: SeDebugPrivilege	816	taskhost.exe
Token: SeDebugPrivilege	1080	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d1551fcb92caa336745b275ea357187.execmd.exe3d1551fcb92caa336745b275ea357187.execmd.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exe

description	pid	process	target process
PID 1584 wrote to memory of 1364	1584	3d1551fcb92caa336745b275ea357187.exe	cmd.exe
PID 1584 wrote to memory of 1364	1584	3d1551fcb92caa336745b275ea357187.exe	cmd.exe
PID 1584 wrote to memory of 1364	1584	3d1551fcb92caa336745b275ea357187.exe	cmd.exe
PID 1364 wrote to memory of 656	1364	cmd.exe	w32tm.exe
PID 1364 wrote to memory of 656	1364	cmd.exe	w32tm.exe
PID 1364 wrote to memory of 656	1364	cmd.exe	w32tm.exe
PID 1364 wrote to memory of 1968	1364	cmd.exe	3d1551fcb92caa336745b275ea357187.exe
PID 1364 wrote to memory of 1968	1364	cmd.exe	3d1551fcb92caa336745b275ea357187.exe
PID 1364 wrote to memory of 1968	1364	cmd.exe	3d1551fcb92caa336745b275ea357187.exe
PID 1968 wrote to memory of 1608	1968	3d1551fcb92caa336745b275ea357187.exe	cmd.exe
PID 1968 wrote to memory of 1608	1968	3d1551fcb92caa336745b275ea357187.exe	cmd.exe
PID 1968 wrote to memory of 1608	1968	3d1551fcb92caa336745b275ea357187.exe	cmd.exe
PID 1608 wrote to memory of 1064	1608	cmd.exe	w32tm.exe
PID 1608 wrote to memory of 1064	1608	cmd.exe	w32tm.exe
PID 1608 wrote to memory of 1064	1608	cmd.exe	w32tm.exe
PID 1608 wrote to memory of 600	1608	cmd.exe	taskhost.exe
PID 1608 wrote to memory of 600	1608	cmd.exe	taskhost.exe
PID 1608 wrote to memory of 600	1608	cmd.exe	taskhost.exe
PID 600 wrote to memory of 1088	600	taskhost.exe	WScript.exe
PID 600 wrote to memory of 1088	600	taskhost.exe	WScript.exe
PID 600 wrote to memory of 1088	600	taskhost.exe	WScript.exe
PID 600 wrote to memory of 636	600	taskhost.exe	WScript.exe
PID 600 wrote to memory of 636	600	taskhost.exe	WScript.exe
PID 600 wrote to memory of 636	600	taskhost.exe	WScript.exe
PID 1088 wrote to memory of 1992	1088	WScript.exe	taskhost.exe
PID 1088 wrote to memory of 1992	1088	WScript.exe	taskhost.exe
PID 1088 wrote to memory of 1992	1088	WScript.exe	taskhost.exe
PID 1992 wrote to memory of 1784	1992	taskhost.exe	WScript.exe
PID 1992 wrote to memory of 1784	1992	taskhost.exe	WScript.exe
PID 1992 wrote to memory of 1784	1992	taskhost.exe	WScript.exe
PID 1992 wrote to memory of 1764	1992	taskhost.exe	WScript.exe
PID 1992 wrote to memory of 1764	1992	taskhost.exe	WScript.exe
PID 1992 wrote to memory of 1764	1992	taskhost.exe	WScript.exe
PID 1784 wrote to memory of 536	1784	WScript.exe	taskhost.exe
PID 1784 wrote to memory of 536	1784	WScript.exe	taskhost.exe
PID 1784 wrote to memory of 536	1784	WScript.exe	taskhost.exe
PID 536 wrote to memory of 600	536	taskhost.exe	WScript.exe
PID 536 wrote to memory of 600	536	taskhost.exe	WScript.exe
PID 536 wrote to memory of 600	536	taskhost.exe	WScript.exe
PID 536 wrote to memory of 1604	536	taskhost.exe	WScript.exe
PID 536 wrote to memory of 1604	536	taskhost.exe	WScript.exe
PID 536 wrote to memory of 1604	536	taskhost.exe	WScript.exe
PID 600 wrote to memory of 1884	600	WScript.exe	taskhost.exe
PID 600 wrote to memory of 1884	600	WScript.exe	taskhost.exe
PID 600 wrote to memory of 1884	600	WScript.exe	taskhost.exe
PID 1884 wrote to memory of 2036	1884	taskhost.exe	WScript.exe
PID 1884 wrote to memory of 2036	1884	taskhost.exe	WScript.exe
PID 1884 wrote to memory of 2036	1884	taskhost.exe	WScript.exe
PID 1884 wrote to memory of 512	1884	taskhost.exe	WScript.exe
PID 1884 wrote to memory of 512	1884	taskhost.exe	WScript.exe
PID 1884 wrote to memory of 512	1884	taskhost.exe	WScript.exe
PID 2036 wrote to memory of 1484	2036	WScript.exe	taskhost.exe
PID 2036 wrote to memory of 1484	2036	WScript.exe	taskhost.exe
PID 2036 wrote to memory of 1484	2036	WScript.exe	taskhost.exe
PID 1484 wrote to memory of 2044	1484	taskhost.exe	WScript.exe
PID 1484 wrote to memory of 2044	1484	taskhost.exe	WScript.exe
PID 1484 wrote to memory of 2044	1484	taskhost.exe	WScript.exe
PID 1484 wrote to memory of 1672	1484	taskhost.exe	WScript.exe
PID 1484 wrote to memory of 1672	1484	taskhost.exe	WScript.exe
PID 1484 wrote to memory of 1672	1484	taskhost.exe	WScript.exe
PID 2044 wrote to memory of 816	2044	WScript.exe	taskhost.exe
PID 2044 wrote to memory of 816	2044	WScript.exe	taskhost.exe
PID 2044 wrote to memory of 816	2044	WScript.exe	taskhost.exe
PID 816 wrote to memory of 1488	816	taskhost.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\3d1551fcb92caa336745b275ea357187.exe
"C:\Users\Admin\AppData\Local\Temp\3d1551fcb92caa336745b275ea357187.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GU7tWfSH3L.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\3d1551fcb92caa336745b275ea357187.exe
"C:\Users\Admin\AppData\Local\Temp\3d1551fcb92caa336745b275ea357187.exe"
3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xYfwFNBoa.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1064

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f830441c-04d4-407f-9b80-b4068f2f11f9.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1927ea0b-2e98-45c8-a8c4-d9991b61d264.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7c866e5-def2-454c-9b56-e3dfaeae61b0.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a39461c7-a4d7-4256-842b-5aacefcb26e2.vbs"
12⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b914f7dc-daaa-49dc-8d4f-98c589f621d4.vbs"
14⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb7f7a44-875c-479e-96a9-5a3a80d3e305.vbs"
16⤵
PID:1488

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
"C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe"
17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\187e53fe-1b12-4804-aca0-25c11d3ab551.vbs"
18⤵
PID:904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66698ff9-b082-4689-88a9-38dc06dc2759.vbs"
18⤵
PID:996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b421156d-4988-494d-b007-0903ab74c358.vbs"
16⤵
PID:580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8968e4fc-07ff-42c1-8dba-529786098bab.vbs"
14⤵
PID:1672

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4688943-6e4c-4c76-b928-0ca49fe45b89.vbs"
12⤵
PID:512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d8e4134-7ee5-4fd1-89b4-44b9a50c7be8.vbs"
10⤵
PID:1604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\366e6350-554d-4bbc-862f-c8f38109a9b7.vbs"
8⤵
PID:1764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d63a4818-878b-49b7-8b21-90eee863bfc9.vbs"
6⤵
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\system\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d1551fcb92caa336745b275ea3571873" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\3d1551fcb92caa336745b275ea357187.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d1551fcb92caa336745b275ea357187" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\3d1551fcb92caa336745b275ea357187.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d1551fcb92caa336745b275ea3571873" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\3d1551fcb92caa336745b275ea357187.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Web\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\56085415360792
Filesize
616B

MD5
a82e7b6ba08861839d33dee730d7a123

SHA1
28b364816a36c38d35d272ea264dc6eb1e4b61ad

SHA256
cabd7758f7628b16efa35f867dff7ec82d95a10c31f110f4079026627e4dd5ca

SHA512
00e9cf3012cbccc7249eb7e5d8ec9a51be11806e652f0e36ea8aad30b784e84c58f0db127ee3f13ccb3b821516acd8a2c247049bfe9c07ac8b19c8f58b32de0e

Download Submit
C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\wininit.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\187e53fe-1b12-4804-aca0-25c11d3ab551.vbs
Filesize
728B

MD5
a0338ad75392f646a2a9522b372dfbda

SHA1
b7584bf741a56ce4d89d85b5106d25aaa79bdc8a

SHA256
c39ce6d80dd394052c7ce0bddb676170b328c59920e1733edac80186c2b899f4

SHA512
9d8e474849dfb59960c0f83d98bb2dc18c0bba2b3849726eb593d3dfb686e57582a50a7ed80a19f566de2c1b4611acd9dafa39ee7bd5ac374f1ce7b70f2ae79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1927ea0b-2e98-45c8-a8c4-d9991b61d264.vbs
Filesize
728B

MD5
107b4d76d95316431b67cdfc94f57cd7

SHA1
c1524b2c6591f3e1e9d42955b7771820b2bb3957

SHA256
282ba4a3d22505cbf1878704f293c056e4acce296a5b12cd2045a3c08255a5a3

SHA512
a0192fbb21c3fcfc0f15a59b0c6a7a78c0a0c0c7d23b6345582a77baa9640393b674ca9b68881ef2c80cca35842113dfebddca5ffdf0a64ac19d494184a24a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\366e6350-554d-4bbc-862f-c8f38109a9b7.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\413c65e0484930941e093e55cfc74e39d4a53fc1.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\413c65e0484930941e093e55cfc74e39d4a53fc1.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\413c65e0484930941e093e55cfc74e39d4a53fc1.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\413c65e0484930941e093e55cfc74e39d4a53fc1.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\413c65e0484930941e093e55cfc74e39d4a53fc1.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\413c65e0484930941e093e55cfc74e39d4a53fc1.exe
Filesize
2.7MB

MD5
3d1551fcb92caa336745b275ea357187

SHA1
38b8fe4cee22237d34cf27974edd82d1105c6bac

SHA256
946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

SHA512
b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\66698ff9-b082-4689-88a9-38dc06dc2759.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xYfwFNBoa.bat
Filesize
217B

MD5
49a693f67fa27e38bb9618f1b93396a1

SHA1
7c334c511363519a3deaafbc39aef0eabf20bbdb

SHA256
780a8d7371bc0f38ec9de8f9571ea180064fd214772906a4b51ba56c344c1d04

SHA512
1fde0fad642000794e96151f75968bcd822973cf882faaf155d9b411658837edee7fecebcad7aab222d51a97f50ecf1d4b7615b1c7bf08364b01b8be8780478f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8968e4fc-07ff-42c1-8dba-529786098bab.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d8e4134-7ee5-4fd1-89b4-44b9a50c7be8.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GU7tWfSH3L.bat
Filesize
235B

MD5
8584658b1f7ab86653d7948eea9ece44

SHA1
ad55affd2f88f157d1e9ef9b427c552df84987e0

SHA256
456d36b7c1521166d467243e214c75e06f232622f87c8c88904d9ccb7a60adac

SHA512
adcce138578ddfaea5f78dccad363a014ed0afb0fe8b725512544a296af87330fd8fec97a54ed676254cbe44e8dc990f0352cd36705859844259ac3a608dd90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a39461c7-a4d7-4256-842b-5aacefcb26e2.vbs
Filesize
728B

MD5
9717ce135d83f1b5242a38d2307519b5

SHA1
e757e78489fc2f6f5da5e94fd034f1b827433374

SHA256
c5c0f05a37d4e70b5fa6e0bafe3d29e63517f95aa0cb22f141462e5e51552461

SHA512
abf9f5c41077737a794e1637749a15fd964bfefc3ec6b3273c5c28244766d3f36e93651eefd6b0d89af077a46dda06eab18bc44455f498a798a9a6984481fe17

Download Submit
C:\Users\Admin\AppData\Local\Temp\b421156d-4988-494d-b007-0903ab74c358.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\b914f7dc-daaa-49dc-8d4f-98c589f621d4.vbs
Filesize
728B

MD5
024afd71d589f7c21ca7cbb57fa8e69b

SHA1
174cba76a0b62eaff1f1b7d32b217c2b2d270fa8

SHA256
362c114359e4a6e9f9dc00c0751378f3c0be4eb0d8e2b6d7ce227e603430b282

SHA512
4490093fd7dff8eab85e30155b3c9556d4122f098633c7f5939c49557a54319c32a1b9afb294aae58cfaebfc76c461f665b4d283a4a8ad18cd24506e26a7004f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7c866e5-def2-454c-9b56-e3dfaeae61b0.vbs
Filesize
727B

MD5
79cb12116adb2c456df4421d21c16199

SHA1
a3d4e07b418b50148f13bebe693d554678c570bd

SHA256
8213135ad956d45ed6eb1eb043630467b2e613cde0b2d570bc9d2d686547ae59

SHA512
b78e514fb426bd7c0b888fd60e0e29bc7a507c594df86820284d5d9ebdf4e78f1641c04e3bde542b73c448b0575f574fa304f20ab654b6e4fcec1eccce7a7d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4688943-6e4c-4c76-b928-0ca49fe45b89.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d63a4818-878b-49b7-8b21-90eee863bfc9.vbs
Filesize
504B

MD5
636229a87915abafe5da7e329d9342f4

SHA1
71cd33833497f7d53f0be33782ce6b3025f094a5

SHA256
095b7238c7701f373f879a52b66fcc4d824cfb87ab15d4d73f553c8a55103363

SHA512
b9ce6f84b2a478392ba76d24026d7483298004b5d8c4a9331a17dd5a90e46294c3166808b30cd9ec18890e98e80a918444d41b0f8f69954af79f296355562fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb7f7a44-875c-479e-96a9-5a3a80d3e305.vbs
Filesize
727B

MD5
e13d39022b60589dbf361aa71b4280b4

SHA1
1097de87e8b1f431dd724b978a5a9c8d44bef86b

SHA256
f7d3ba4a3699d62c02360d9de8d0c278e789438d7f79bdab7f9698320a256ebd

SHA512
cb87007029ec71ca76e48fb72542b76289849d7dc35663b1edcb2de1ac06799a6fd088f73a3c6c9d5174ae7b67c0d34d4b02aa187de5e5733a5ff22a3733c42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f830441c-04d4-407f-9b80-b4068f2f11f9.vbs
Filesize
727B

MD5
0918d5762ad4a5aced0bf65e1a1af70d

SHA1
1fe0fd86621a1fe6f0e4aa251b601270dfecc89f

SHA256
a3afe69a07ab041b428f1d9808f72d2344f6f508d644daf1e25dc75f661b6784

SHA512
c9900ae70d5896e91cc9e475023f25db2b4ecccb5c05b5875b0ecb7a1a96ece9e5a480f47e802c880d735ec6da9c4d8ac75f9352c24f23766579e9a3adf16dfb

Download Submit
memory/512-105-0x0000000000000000-mapping.dmp

Download
memory/536-95-0x0000000001260000-0x000000000151E000-memory.dmp

Filesize
2.7MB

Download
memory/536-93-0x0000000000000000-mapping.dmp

Download
memory/580-120-0x0000000000000000-mapping.dmp

Download
memory/600-96-0x0000000000000000-mapping.dmp

Download
memory/600-80-0x0000000000FA0000-0x000000000125E000-memory.dmp

Filesize
2.7MB

Download
memory/600-77-0x0000000000000000-mapping.dmp

Download
memory/636-82-0x0000000000000000-mapping.dmp

Download
memory/656-68-0x0000000000000000-mapping.dmp

Download
memory/816-117-0x00000000012B0000-0x000000000156E000-memory.dmp

Filesize
2.7MB

Download
memory/816-115-0x0000000000000000-mapping.dmp

Download
memory/904-125-0x0000000000000000-mapping.dmp

Download
memory/996-127-0x0000000000000000-mapping.dmp

Download
memory/1064-76-0x0000000000000000-mapping.dmp

Download
memory/1080-123-0x0000000000000000-mapping.dmp

Download
memory/1088-81-0x0000000000000000-mapping.dmp

Download
memory/1364-66-0x0000000000000000-mapping.dmp

Download
memory/1484-108-0x0000000000000000-mapping.dmp

Download
memory/1488-118-0x0000000000000000-mapping.dmp

Download
memory/1584-65-0x000000001ACF0000-0x000000001ACFA000-memory.dmp

Filesize
40KB

Download
memory/1584-61-0x000000001A770000-0x000000001A778000-memory.dmp

Filesize
32KB

Download
memory/1584-54-0x0000000000C30000-0x0000000000EEE000-memory.dmp

Filesize
2.7MB

Download
memory/1584-63-0x000000001ACD0000-0x000000001ACDA000-memory.dmp

Filesize
40KB

Download
memory/1584-58-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/1584-55-0x000000001B460000-0x000000001B568000-memory.dmp

Filesize
1.0MB

Download
memory/1584-59-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/1584-60-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/1584-64-0x000000001ACE0000-0x000000001ACEE000-memory.dmp

Filesize
56KB

Download
memory/1584-56-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/1584-62-0x000000001A780000-0x000000001A792000-memory.dmp

Filesize
72KB

Download
memory/1584-57-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1604-99-0x0000000000000000-mapping.dmp

Download
memory/1608-74-0x0000000000000000-mapping.dmp

Download
memory/1672-112-0x0000000000000000-mapping.dmp

Download
memory/1764-91-0x0000000000000000-mapping.dmp

Download
memory/1784-88-0x0000000000000000-mapping.dmp

Download
memory/1884-101-0x0000000000000000-mapping.dmp

Download
memory/1968-70-0x00000000001C0000-0x000000000047E000-memory.dmp

Filesize
2.7MB

Download
memory/1968-71-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/1968-69-0x0000000000000000-mapping.dmp

Download
memory/1992-87-0x00000000002F0000-0x00000000005AE000-memory.dmp

Filesize
2.7MB

Download
memory/1992-85-0x0000000000000000-mapping.dmp

Download
memory/2036-103-0x0000000000000000-mapping.dmp

Download
memory/2044-110-0x0000000000000000-mapping.dmp

Download