dcrat | 205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2022 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe
Size

1.3MB
MD5

3ccd8afabfe4111be39ddaca7afde3d1
SHA1

2849020b5cc5ec45861c47707856f259ba11a7b0
SHA256

205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b
SHA512

b9fbf467c02c1ae4df6daa2d80f721e3e482a16e8250bfe45b183709ee3a95790f5ad71a692597317408ae08ea263338ab632fd4675260bb82864b41c7d40114
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4948	schtasks.exe	71

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001ac35-280.dat	dcrat
behavioral1/files/0x000600000001ac35-281.dat	dcrat
behavioral1/memory/3272-282-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/files/0x000200000001ac45-500.dat	dcrat
behavioral1/files/0x000200000001ac45-501.dat	dcrat
behavioral1/files/0x000200000001ac45-507.dat	dcrat
behavioral1/files/0x000200000001ac45-514.dat	dcrat
behavioral1/files/0x000200000001ac45-519.dat	dcrat
behavioral1/files/0x000200000001ac45-525.dat	dcrat
behavioral1/files/0x000200000001ac45-531.dat	dcrat
behavioral1/files/0x000200000001ac45-536.dat	dcrat
behavioral1/files/0x000200000001ac45-542.dat	dcrat
behavioral1/files/0x000200000001ac45-548.dat	dcrat
behavioral1/files/0x000200000001ac45-554.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
3272	DllCommonsvc.exe
1128	dwm.exe
936	dwm.exe
4856	dwm.exe
4588	dwm.exe
416	dwm.exe
2568	dwm.exe
1348	dwm.exe
680	dwm.exe
4744	dwm.exe
3888	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Theme2\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Theme2\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4176	schtasks.exe
528	schtasks.exe
4944	schtasks.exe
4972	schtasks.exe
4120	schtasks.exe
5008	schtasks.exe
536	schtasks.exe
4960	schtasks.exe
1252	schtasks.exe
1180	schtasks.exe
5116	schtasks.exe
4128	schtasks.exe
1856	schtasks.exe
4900	schtasks.exe
936	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3272	DllCommonsvc.exe
3272	DllCommonsvc.exe
3272	DllCommonsvc.exe
3272	DllCommonsvc.exe
3272	DllCommonsvc.exe
1536	powershell.exe
668	powershell.exe
1732	powershell.exe
2224	powershell.exe
2112	powershell.exe
1348	powershell.exe
1536	powershell.exe
1732	powershell.exe
2112	powershell.exe
1348	powershell.exe
2224	powershell.exe
668	powershell.exe
668	powershell.exe
2224	powershell.exe
1536	powershell.exe
2112	powershell.exe
1348	powershell.exe
1732	powershell.exe
1128	dwm.exe
936	dwm.exe
4856	dwm.exe
4588	dwm.exe
416	dwm.exe
2568	dwm.exe
1348	dwm.exe
680	dwm.exe
4744	dwm.exe
3888	dwm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	DllCommonsvc.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	powershell.exe
Token: SeSecurityPrivilege	2224	powershell.exe
Token: SeTakeOwnershipPrivilege	2224	powershell.exe
Token: SeLoadDriverPrivilege	2224	powershell.exe
Token: SeSystemProfilePrivilege	2224	powershell.exe
Token: SeSystemtimePrivilege	2224	powershell.exe
Token: SeProfSingleProcessPrivilege	2224	powershell.exe
Token: SeIncBasePriorityPrivilege	2224	powershell.exe
Token: SeCreatePagefilePrivilege	2224	powershell.exe
Token: SeBackupPrivilege	2224	powershell.exe
Token: SeRestorePrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeSystemEnvironmentPrivilege	2224	powershell.exe
Token: SeRemoteShutdownPrivilege	2224	powershell.exe
Token: SeUndockPrivilege	2224	powershell.exe
Token: SeManageVolumePrivilege	2224	powershell.exe
Token: 33	2224	powershell.exe
Token: 34	2224	powershell.exe
Token: 35	2224	powershell.exe
Token: 36	2224	powershell.exe
Token: SeIncreaseQuotaPrivilege	1536	powershell.exe
Token: SeSecurityPrivilege	1536	powershell.exe
Token: SeTakeOwnershipPrivilege	1536	powershell.exe
Token: SeLoadDriverPrivilege	1536	powershell.exe
Token: SeSystemProfilePrivilege	1536	powershell.exe
Token: SeSystemtimePrivilege	1536	powershell.exe
Token: SeProfSingleProcessPrivilege	1536	powershell.exe
Token: SeIncBasePriorityPrivilege	1536	powershell.exe
Token: SeCreatePagefilePrivilege	1536	powershell.exe
Token: SeBackupPrivilege	1536	powershell.exe
Token: SeRestorePrivilege	1536	powershell.exe
Token: SeShutdownPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeSystemEnvironmentPrivilege	1536	powershell.exe
Token: SeRemoteShutdownPrivilege	1536	powershell.exe
Token: SeUndockPrivilege	1536	powershell.exe
Token: SeManageVolumePrivilege	1536	powershell.exe
Token: 33	1536	powershell.exe
Token: 34	1536	powershell.exe
Token: 35	1536	powershell.exe
Token: 36	1536	powershell.exe
Token: SeIncreaseQuotaPrivilege	1732	powershell.exe
Token: SeSecurityPrivilege	1732	powershell.exe
Token: SeTakeOwnershipPrivilege	1732	powershell.exe
Token: SeLoadDriverPrivilege	1732	powershell.exe
Token: SeSystemProfilePrivilege	1732	powershell.exe
Token: SeSystemtimePrivilege	1732	powershell.exe
Token: SeProfSingleProcessPrivilege	1732	powershell.exe
Token: SeIncBasePriorityPrivilege	1732	powershell.exe
Token: SeCreatePagefilePrivilege	1732	powershell.exe
Token: SeBackupPrivilege	1732	powershell.exe
Token: SeRestorePrivilege	1732	powershell.exe
Token: SeShutdownPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeSystemEnvironmentPrivilege	1732	powershell.exe
Token: SeRemoteShutdownPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4280	4220	205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe	67
PID 4220 wrote to memory of 4280	4220	205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe	67
PID 4220 wrote to memory of 4280	4220	205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe	67
PID 4280 wrote to memory of 4608	4280	WScript.exe	68
PID 4280 wrote to memory of 4608	4280	WScript.exe	68
PID 4280 wrote to memory of 4608	4280	WScript.exe	68
PID 4608 wrote to memory of 3272	4608	cmd.exe	70
PID 4608 wrote to memory of 3272	4608	cmd.exe	70
PID 3272 wrote to memory of 668	3272	DllCommonsvc.exe	87
PID 3272 wrote to memory of 668	3272	DllCommonsvc.exe	87
PID 3272 wrote to memory of 1732	3272	DllCommonsvc.exe	89
PID 3272 wrote to memory of 1732	3272	DllCommonsvc.exe	89
PID 3272 wrote to memory of 1536	3272	DllCommonsvc.exe	91
PID 3272 wrote to memory of 1536	3272	DllCommonsvc.exe	91
PID 3272 wrote to memory of 2112	3272	DllCommonsvc.exe	93
PID 3272 wrote to memory of 2112	3272	DllCommonsvc.exe	93
PID 3272 wrote to memory of 2224	3272	DllCommonsvc.exe	95
PID 3272 wrote to memory of 2224	3272	DllCommonsvc.exe	95
PID 3272 wrote to memory of 1348	3272	DllCommonsvc.exe	97
PID 3272 wrote to memory of 1348	3272	DllCommonsvc.exe	97
PID 3272 wrote to memory of 2856	3272	DllCommonsvc.exe	99
PID 3272 wrote to memory of 2856	3272	DllCommonsvc.exe	99
PID 1128 wrote to memory of 2672	1128	dwm.exe	104
PID 1128 wrote to memory of 2672	1128	dwm.exe	104
PID 2672 wrote to memory of 1820	2672	cmd.exe	106
PID 2672 wrote to memory of 1820	2672	cmd.exe	106
PID 2672 wrote to memory of 936	2672	cmd.exe	107
PID 2672 wrote to memory of 936	2672	cmd.exe	107
PID 936 wrote to memory of 3860	936	dwm.exe	108
PID 936 wrote to memory of 3860	936	dwm.exe	108
PID 3860 wrote to memory of 1108	3860	cmd.exe	110
PID 3860 wrote to memory of 1108	3860	cmd.exe	110
PID 3860 wrote to memory of 4856	3860	cmd.exe	111
PID 3860 wrote to memory of 4856	3860	cmd.exe	111
PID 4856 wrote to memory of 4000	4856	dwm.exe	112
PID 4856 wrote to memory of 4000	4856	dwm.exe	112
PID 4000 wrote to memory of 4460	4000	cmd.exe	114
PID 4000 wrote to memory of 4460	4000	cmd.exe	114
PID 4000 wrote to memory of 4588	4000	cmd.exe	115
PID 4000 wrote to memory of 4588	4000	cmd.exe	115
PID 4588 wrote to memory of 3608	4588	dwm.exe	116
PID 4588 wrote to memory of 3608	4588	dwm.exe	116
PID 3608 wrote to memory of 3400	3608	cmd.exe	118
PID 3608 wrote to memory of 3400	3608	cmd.exe	118
PID 3608 wrote to memory of 416	3608	cmd.exe	119
PID 3608 wrote to memory of 416	3608	cmd.exe	119
PID 416 wrote to memory of 3144	416	dwm.exe	120
PID 416 wrote to memory of 3144	416	dwm.exe	120
PID 3144 wrote to memory of 5088	3144	cmd.exe	122
PID 3144 wrote to memory of 5088	3144	cmd.exe	122
PID 3144 wrote to memory of 2568	3144	cmd.exe	123
PID 3144 wrote to memory of 2568	3144	cmd.exe	123
PID 2568 wrote to memory of 620	2568	dwm.exe	124
PID 2568 wrote to memory of 620	2568	dwm.exe	124
PID 620 wrote to memory of 4668	620	cmd.exe	126
PID 620 wrote to memory of 4668	620	cmd.exe	126
PID 620 wrote to memory of 1348	620	cmd.exe	127
PID 620 wrote to memory of 1348	620	cmd.exe	127
PID 1348 wrote to memory of 4900	1348	dwm.exe	128
PID 1348 wrote to memory of 4900	1348	dwm.exe	128
PID 4900 wrote to memory of 1832	4900	cmd.exe	130
PID 4900 wrote to memory of 1832	4900	cmd.exe	130
PID 4900 wrote to memory of 680	4900	cmd.exe	131
PID 4900 wrote to memory of 680	4900	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe
"C:\Users\Admin\AppData\Local\Temp\205a268df3453caa7a5142d358ccca54cd997291a026d5230cc7c9a8a455d29b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Theme2\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZUhgq7iBDF.bat"
        5⤵
        
        PID:2856
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:372
      - C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1820
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1108
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4460
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3400
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5088
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4668
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1832
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        21⤵
        
        PID:4028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2068
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        23⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1964
        
        C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Theme2\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Theme2\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\Theme2\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f3a367b08d4747d7f370d08cf9af2d9

SHA1
89ed61ac651c9bf6e7958e3480641ad7638696a2

SHA256
f31034419c2a723af88228da5d1f6e3dc4bc342f182682e303974795d7f506a6

SHA512
e4519e3b18ce8f156b400322565820922c2a670b8e1017b476439ff3a87b95558b4017d90cd8e98105861de06cea70c396154f52e1841d076d53fa5eb54f2bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae1289ac679a7198b6935b0228c8c544

SHA1
bccf310a6759eefb5039d0b100460057154e90c6

SHA256
24b7b3b901ee33777504f5cd628c54c5e9fb61513b503553a493e9eb0aa676bd

SHA512
cd66602d22e685d02538c1bb9615b5b83b0f7221b4ecef2f51a51de9ae1dc6567b07319f6b83e870a8499354dceff8c2a7ff60ab75736ff2aa66a73b3724dd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e03371440a29b799cd045d912813009e

SHA1
bee905a380e22bc5b80b691c3c6d4afe7ae6e9dd

SHA256
a72574b5738d7aff807b06bd9a28859685641bdf0182782256f5d7dd218be05b

SHA512
ae4e623bb90f17f6c1f826d5b768cd2a93be4dcfb739d96346aeb7b693bcb14122b843db3f3d27a5a042deb9f6ae30420f68394ab377f350e4bc79f860efb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a2499189848517a93a73f3ecbb035b2

SHA1
cb0c5134a66680696ae5294d858544857f0351cd

SHA256
8891bcb8dfc1c4247a719fc9b6e2ba298ba5ad06fc8dc95006c867a502a60817

SHA512
3b3137cf74f756b775ba66a347a45fd08fe18354f4f71b255a8a3731ba17e250a888c0268d97eaa27d908a716c2dddc1c1b1a6249ce8eb352bd66da9bc83dcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
ec6c19b404ce09ba45c2b9721d2b58f8

SHA1
1858ad2933b130f9baa469de883516b2afb155a6

SHA256
60b0afe1850645706b2e0fbf82e927af7d3701374f6f8fe80f4fd50cec8d5d08

SHA512
9dedc0b2a87438790e86260096ac1e0e57f58d78adaa00e05fdcd48f50f6e10d3f58c2a37cc6c0338712735c938548d71a5d1a51a188222ed9f4f597cc8f36d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
222B

MD5
9532ca737eaa43f01c624dda6ffe8779

SHA1
1e29ca58994ef336f95de1c3cc2fd3846db768dd

SHA256
98dc236982ac7d01b42575b56781a804e3434794c17576f18b3df82b86efe572

SHA512
61941d06459bed6f789ae855f81c155c10ce43771ffe05276c61760d1039bea2698c0510d4ed2ddc381a1ce7c759c48c6997cfbd2d2e7a7b5751782b018e40ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
222B

MD5
8c9af35bb328efcb6cdc3cc4c67069d4

SHA1
bbe7f7d217c9f46f96942a65e0db299080388ea8

SHA256
edf51b12489ec56f9c8561d6a39e0b9f12aa69a4ebdd46b75052725232b5ed44

SHA512
f21514afd5a54d5d23cbfb7a0e58b131dc9beac31648917e618fb37f020e4e18b14fb29152d45c6d76d6d15477d78eebe99ae17bfa4f95d31a10f581e4e742e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
222B

MD5
eecaa5180851187465e6bc19f41f1eb8

SHA1
27aa8ff8f8d04441001821666d12b058f7c76805

SHA256
7cb114bb395688095f157265d4122ded46e43a42e29a9732db5d5ce3f7291d9c

SHA512
4aec23be81400017f0b03807e374efac62f4f7ebde0dbd04f947f3adbbc22c5f615f0240936a6d034ecea37a5b28f34bc783a82406b544516af06dfa94c06abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

Filesize
222B

MD5
604e3c0f25f6f76366f60fa7dc85d5f9

SHA1
76f4ac24d9e3793a6620d8e627d83b8fbb137f64

SHA256
09e65b7de0892e7df59bf6c2cd44346d38557109a75b77ec54bdc43b4be1714b

SHA512
865f9c94753f888b8474d9472aec7fc49aeb0f158a6c36252a7c70c5d8fa2bda6d51646bfe251527d5a91b1efa846c8cb397311902b8bee6b1fe3677e2271a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
222B

MD5
e9060b2d567cfb53f14d4ee7d92623ac

SHA1
2ed6399dbb4f59fb4ca7c7ef01f6022c2494bd09

SHA256
3999f37c8d05d3b24c83d745e11ae8be382902f79717f145c521ea5801fb2d78

SHA512
6ae84f0f985f18a76dc277eeec7bff9cf6d2317eef784588e14de37b5b9fab9028e778c9fd3259a5ac369fcf051a0bdfe27b8dedc05f0b3735a017f6812c72bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
222B

MD5
fb5a479096cd2dd45f14a8a3ece68a20

SHA1
363ee7430f3d475c6e7fccf710af6226a34dd8d3

SHA256
15c85af7f42deda8c29e97930836a637b9273759325d12aeb9f746fc7ac1efdf

SHA512
c0774948caf62842ceeb3294810749781811f158897a07a86e9158ff035b78de16b09ed1549b9d3fdbfe2a78db3e67ddbfda63cdc5dca4f2f8920f01d8a8c601

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
222B

MD5
fb5a479096cd2dd45f14a8a3ece68a20

SHA1
363ee7430f3d475c6e7fccf710af6226a34dd8d3

SHA256
15c85af7f42deda8c29e97930836a637b9273759325d12aeb9f746fc7ac1efdf

SHA512
c0774948caf62842ceeb3294810749781811f158897a07a86e9158ff035b78de16b09ed1549b9d3fdbfe2a78db3e67ddbfda63cdc5dca4f2f8920f01d8a8c601

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

Filesize
222B

MD5
0eedce964b2642171add5d07f8978440

SHA1
e01d5d0735a2c1447f2475ddd1d3df3d22e96bab

SHA256
c9eac8366244c1794e205f1dafb9601b6cdaa57d0b44b08965d664ac3cc4e458

SHA512
880585f61bf18713e0f1ac440a94a03099ea788cbd053c5ee58d6a526d8aaa12d3c4ab4a082a4170efd8b4eb9134cc1e86761904f2c29810139eec55e1a43fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
222B

MD5
d3da705a492b165031dc6d627ebc14fb

SHA1
c6c25af53a003c720119be25d11a936f0238a524

SHA256
ac2f45f63101adbbfdcee06dad1694275e2e6b8378d135b6d6706e7d3ed0f282

SHA512
95afc675992690aa0d839981ec210317b7039b8b0fb0b0c9b91ef5c574d20d98147733392a78b2acb6d0308e0976a39cbae6fb341a7e4cbff79e459fffe71e15

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/416-524-0x0000000000000000-mapping.dmp

Download
memory/416-526-0x00000000016D0000-0x00000000016E2000-memory.dmp

Filesize
72KB

Download
memory/620-532-0x0000000000000000-mapping.dmp

Download
memory/668-287-0x0000000000000000-mapping.dmp

Download
memory/680-543-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/680-541-0x0000000000000000-mapping.dmp

Download
memory/936-506-0x0000000000000000-mapping.dmp

Download
memory/936-509-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/1108-512-0x0000000000000000-mapping.dmp

Download
memory/1128-502-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/1348-292-0x0000000000000000-mapping.dmp

Download
memory/1348-537-0x0000000002B90000-0x0000000002BA2000-memory.dmp

Filesize
72KB

Download
memory/1348-535-0x0000000000000000-mapping.dmp

Download
memory/1536-289-0x0000000000000000-mapping.dmp

Download
memory/1536-331-0x000001984F410000-0x000001984F486000-memory.dmp

Filesize
472KB

Download
memory/1732-288-0x0000000000000000-mapping.dmp

Download
memory/1820-505-0x0000000000000000-mapping.dmp

Download
memory/1832-540-0x0000000000000000-mapping.dmp

Download
memory/1964-552-0x0000000000000000-mapping.dmp

Download
memory/2068-546-0x0000000000000000-mapping.dmp

Download
memory/2112-290-0x0000000000000000-mapping.dmp

Download
memory/2112-318-0x0000020F281F0000-0x0000020F28212000-memory.dmp

Filesize
136KB

Download
memory/2224-291-0x0000000000000000-mapping.dmp

Download
memory/2568-530-0x0000000000000000-mapping.dmp

Download
memory/2672-503-0x0000000000000000-mapping.dmp

Download
memory/2856-317-0x0000000000000000-mapping.dmp

Download
memory/2864-550-0x0000000000000000-mapping.dmp

Download
memory/3144-527-0x0000000000000000-mapping.dmp

Download
memory/3272-283-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/3272-282-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/3272-279-0x0000000000000000-mapping.dmp

Download
memory/3272-286-0x0000000002C00000-0x0000000002C0C000-memory.dmp

Filesize
48KB

Download
memory/3272-285-0x0000000002BF0000-0x0000000002BFC000-memory.dmp

Filesize
48KB

Download
memory/3272-284-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

Filesize
48KB

Download
memory/3400-523-0x0000000000000000-mapping.dmp

Download
memory/3608-521-0x0000000000000000-mapping.dmp

Download
memory/3860-510-0x0000000000000000-mapping.dmp

Download
memory/3888-553-0x0000000000000000-mapping.dmp

Download
memory/3888-555-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4000-515-0x0000000000000000-mapping.dmp

Download
memory/4028-544-0x0000000000000000-mapping.dmp

Download
memory/4220-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-179-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-163-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-155-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-153-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-148-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-149-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-143-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-142-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-138-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4280-180-0x0000000000000000-mapping.dmp

Download
memory/4280-182-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4280-181-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4460-517-0x0000000000000000-mapping.dmp

Download
memory/4588-520-0x0000000001880000-0x0000000001892000-memory.dmp

Filesize
72KB

Download
memory/4588-518-0x0000000000000000-mapping.dmp

Download
memory/4608-256-0x0000000000000000-mapping.dmp

Download
memory/4668-534-0x0000000000000000-mapping.dmp

Download
memory/4744-547-0x0000000000000000-mapping.dmp

Download
memory/4744-549-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/4856-513-0x0000000000000000-mapping.dmp

Download
memory/4900-538-0x0000000000000000-mapping.dmp

Download
memory/5088-529-0x0000000000000000-mapping.dmp

Download