dcrat | 7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe
Size

1.3MB
MD5

47749cf8c60c4584f00f61a40dfb421f
SHA1

afde943f8846b3d8fc9758d2e413810133b14743
SHA256

7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3
SHA512

e8582ce4a8638753326fe77e2bbdf8bce716cdf257f26919408045eaeaaf3f2c8959bda72b5090805909b5318af1f689432b885203fd282f218cf162a176cfae
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2568	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d29-11.dat	dcrat
behavioral1/memory/2668-13-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2788-80-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/2316-140-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2416-260-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2744-320-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/1572-439-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2980-499-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/1608-559-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
3060	powershell.exe
2180	powershell.exe
3032	powershell.exe
1672	powershell.exe
2188	powershell.exe
1996	powershell.exe
1984	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	DllCommonsvc.exe
2788	dllhost.exe
2316	dllhost.exe
2080	dllhost.exe
2416	dllhost.exe
2744	dllhost.exe
2316	dllhost.exe
1572	dllhost.exe
2980	dllhost.exe
1608	dllhost.exe
2132	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	cmd.exe
2804	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
34	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1692	schtasks.exe
1496	schtasks.exe
2992	schtasks.exe
1272	schtasks.exe
1648	schtasks.exe
2932	schtasks.exe
2984	schtasks.exe
2156	schtasks.exe
2292	schtasks.exe
1840	schtasks.exe
1788	schtasks.exe
1448	schtasks.exe
1324	schtasks.exe
1948	schtasks.exe
808	schtasks.exe
2760	schtasks.exe
2308	schtasks.exe
792	schtasks.exe
2392	schtasks.exe
2836	schtasks.exe
1828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
1672	powershell.exe
3060	powershell.exe
3032	powershell.exe
2104	powershell.exe
1996	powershell.exe
1984	powershell.exe
2188	powershell.exe
2180	powershell.exe
2788	dllhost.exe
2316	dllhost.exe
2080	dllhost.exe
2416	dllhost.exe
2744	dllhost.exe
2316	dllhost.exe
1572	dllhost.exe
2980	dllhost.exe
1608	dllhost.exe
2132	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	DllCommonsvc.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2788	dllhost.exe
Token: SeDebugPrivilege	2316	dllhost.exe
Token: SeDebugPrivilege	2080	dllhost.exe
Token: SeDebugPrivilege	2416	dllhost.exe
Token: SeDebugPrivilege	2744	dllhost.exe
Token: SeDebugPrivilege	2316	dllhost.exe
Token: SeDebugPrivilege	1572	dllhost.exe
Token: SeDebugPrivilege	2980	dllhost.exe
Token: SeDebugPrivilege	1608	dllhost.exe
Token: SeDebugPrivilege	2132	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe	30
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe	30
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe	30
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe	30
PID 2736 wrote to memory of 2804	2736	WScript.exe	31
PID 2736 wrote to memory of 2804	2736	WScript.exe	31
PID 2736 wrote to memory of 2804	2736	WScript.exe	31
PID 2736 wrote to memory of 2804	2736	WScript.exe	31
PID 2804 wrote to memory of 2668	2804	cmd.exe	33
PID 2804 wrote to memory of 2668	2804	cmd.exe	33
PID 2804 wrote to memory of 2668	2804	cmd.exe	33
PID 2804 wrote to memory of 2668	2804	cmd.exe	33
PID 2668 wrote to memory of 1996	2668	DllCommonsvc.exe	56
PID 2668 wrote to memory of 1996	2668	DllCommonsvc.exe	56
PID 2668 wrote to memory of 1996	2668	DllCommonsvc.exe	56
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	57
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	57
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	57
PID 2668 wrote to memory of 1672	2668	DllCommonsvc.exe	58
PID 2668 wrote to memory of 1672	2668	DllCommonsvc.exe	58
PID 2668 wrote to memory of 1672	2668	DllCommonsvc.exe	58
PID 2668 wrote to memory of 1984	2668	DllCommonsvc.exe	60
PID 2668 wrote to memory of 1984	2668	DllCommonsvc.exe	60
PID 2668 wrote to memory of 1984	2668	DllCommonsvc.exe	60
PID 2668 wrote to memory of 2104	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 2104	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 2104	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 3060	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 3060	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 3060	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 3032	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 3032	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 3032	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 2180	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 2180	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 2180	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 1512	2668	DllCommonsvc.exe	72
PID 2668 wrote to memory of 1512	2668	DllCommonsvc.exe	72
PID 2668 wrote to memory of 1512	2668	DllCommonsvc.exe	72
PID 1512 wrote to memory of 2896	1512	cmd.exe	74
PID 1512 wrote to memory of 2896	1512	cmd.exe	74
PID 1512 wrote to memory of 2896	1512	cmd.exe	74
PID 1512 wrote to memory of 2788	1512	cmd.exe	76
PID 1512 wrote to memory of 2788	1512	cmd.exe	76
PID 1512 wrote to memory of 2788	1512	cmd.exe	76
PID 2788 wrote to memory of 2972	2788	dllhost.exe	77
PID 2788 wrote to memory of 2972	2788	dllhost.exe	77
PID 2788 wrote to memory of 2972	2788	dllhost.exe	77
PID 2972 wrote to memory of 1920	2972	cmd.exe	79
PID 2972 wrote to memory of 1920	2972	cmd.exe	79
PID 2972 wrote to memory of 1920	2972	cmd.exe	79
PID 2972 wrote to memory of 2316	2972	cmd.exe	80
PID 2972 wrote to memory of 2316	2972	cmd.exe	80
PID 2972 wrote to memory of 2316	2972	cmd.exe	80
PID 2316 wrote to memory of 1380	2316	dllhost.exe	82
PID 2316 wrote to memory of 1380	2316	dllhost.exe	82
PID 2316 wrote to memory of 1380	2316	dllhost.exe	82
PID 1380 wrote to memory of 836	1380	cmd.exe	84
PID 1380 wrote to memory of 836	1380	cmd.exe	84
PID 1380 wrote to memory of 836	1380	cmd.exe	84
PID 1380 wrote to memory of 2080	1380	cmd.exe	85
PID 1380 wrote to memory of 2080	1380	cmd.exe	85
PID 1380 wrote to memory of 2080	1380	cmd.exe	85
PID 2080 wrote to memory of 2764	2080	dllhost.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7151c52c12d60adf75b1e1e3abd3e3e44d2fac124ec997292ab4de8680da64f3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N6rO32Lqp3.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2896
      - C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1920
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:836
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        11⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1436
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        13⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2776
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        15⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2828
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        17⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:920
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        19⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1228
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        21⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1320
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        23⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2040
        
        C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e13df33fc67be354b57cb10a62de5b5d

SHA1
f6d1f2097d05a661bc37abb9eb83ac152302acaa

SHA256
85eb621607d3e3351e38b7eb923856da6cebab78d4c886fc41e1992f05f7fa6c

SHA512
1990d04573db87cce7130600c2655c4bcd01b2c079438a6d4a13a46f1e142578b1a74b835543b7148ad53e192c9451eaa1e29f360cb305dac6cb3ac28d7fc81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2749885d02eb809876cd40fbcbdef29b

SHA1
c669d65977dcaba5a120153968853176cf41bced

SHA256
fb879ec71c19bab63d491d402035d1d872cb22adb5621698340a31498bd65822

SHA512
9a49537e96597b41e9ad7ec20797d11d77b742be9faeb5d38fe8ba9b58de42322133d571c515e8e66d5d97b22d0cf6dab639b87bb3ee44bb09bd60d1b5b3f81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1292309902f735f1796df3c2bf2c0609

SHA1
568d1fe436cb54bd87f744c22d1711c6122c045a

SHA256
ba2ce13478726f1bb6d2fec07bd4b16b4ad200bd68286f25b52fd974270bb70c

SHA512
5b3347efe899a8021c0e229e980e2c97abb111a31c63bc47cbe904759a781dbbf466004922b1bab1b3d8d1193be9e19890ef5d16a515ce73dcba094146f36011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16471f8c405c8a6a2a7611a1058428b5

SHA1
5ffeb173ddc0194ea5884dc6dbda6abb13b6010c

SHA256
e0f6c28af2068e6d0306db87e573db9feef72d8722313d077f3dafd692ad556c

SHA512
e105195abef507214d5301236009111bcdc5291866e90d4b6cd80d493a8c50cc2f381c395eb40e34d8a3d64ad0cdda220b8bf5fd87df65cf7c5db20eff7cdba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d56f1af262cd787697d96f78eda6db3

SHA1
3e0a12c9d3702c91d6e8c1dba3ad11d7570ede4a

SHA256
8665f584ee99a38fcc7c71bbffdf79128e8e12072573c3cc4513b0f2a5647de4

SHA512
7b9d9bf8a464c6038370140c8b38162cae666a3ff7e68c45d449dc85951fecc517b2bd658e03b6d47285c8b41c3c8bb4f2aef289f0c9bfc5acb06a20f3a738d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff5b5d077affd1594dbc02e8b008d7ae

SHA1
48cae42a487ad149bbf717f895edeee57f7d69c1

SHA256
a8d7cdaf0450615e2f8fd355d6fab1da5ce36a587f6662d5e3fe03799a1be861

SHA512
90632bd46d8d871a74c6e458d12a41e34994d48f885e34a86e8a1eae3154ec3cb4c3d0da610dc7f33c2bcbc4278ae7d9df4ed27b3cb7354a95ce7bdce7d63e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6fdddacf71bd759317c2494187af9c1

SHA1
f10bfe4a64c56ad4ebf6e3c917801dd6b22261e3

SHA256
df8d306cfda420b39b52c06454c19ee152a09c77399a3e966ea6ec38aa066d1f

SHA512
e88cd4ca990405c36e2de290f9fd3c1b3e0737b6f8dcbe7367f80ce81fe01ea9d50c57b2132c540c10de4b8c1d2ec71c31d0fdd10f4c1b54d66c440607253b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
105bbf2bfed739bec5484a683a95043e

SHA1
c59d8a15dda1ba411d0e69e2cd53b1a2571a56bc

SHA256
e5b4041b899cf761cf93b42ce8b1f6b19ee58a80b1cc5fdbf63c53c72853af9f

SHA512
7aa31fb43de0a8f7a046fbae3206239bb16acd18e3b4f918c0fe5c7e2cfe507145789e02d117f051ef8fd048fa38f555748807e92fe1674da090f2bf68bc6a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD03.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
213B

MD5
5926ef46dc1ac62c2d5f9f343b26e28f

SHA1
ed50135069fffa3c8de6b64ac185b149b91e0279

SHA256
a3372d1b98306112a06bea7e1cfb8d93d3273850f55c36c5bdf98c3a482d7ef8

SHA512
69a4fb047ea90d74351b19fb454a50060a91c729e4fdda0d349cdb835aa0722b2b9abfa1cd51a4d08f468d746f892885d54ac94b95a98c1d6b3fea6d1ab1267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\N6rO32Lqp3.bat

Filesize
213B

MD5
d11aaea804e668302f62157ce62b0e89

SHA1
66f233a737ceb14834d201972581d39a5aca1aea

SHA256
9ee81c85523ce0cbfabe62d60d0b3fbf4301b7a2aaa60bc52f51eb20723fabd0

SHA512
ee8c509a26731882bf850175beb6b9b0e60be17d160690be8fb2d7894b8e16f19e39ec7e2d0acef355685de3feb7f89bfa8516c7e11c3548b3ca734a0ab904c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
213B

MD5
93e1379ba4c1af36c73d9c9174a31610

SHA1
5c06639bf0e517b8c35ba4a5e11c828b0955a41b

SHA256
05b2e73db9ed578411000ddd174b1f052b3897341fcc3950e8381044d5f865e8

SHA512
e51cd0c9bc3cc614788093f77e9f9b3fa2f03198e8eca7ebf2eaf58464db1fb107da4bba111228194f7644af6767a6d5cf0f8048b0fc3811cd6f29db36c74aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
213B

MD5
691a0f3dad5662457f89c0e939eec651

SHA1
63c964a8c8b5095d9d4f548f369ddafa68f38ab6

SHA256
fb05314ae1d6ff7697f0ad7dbc81d63302f265d255f8e988cab3bd70646f8cdd

SHA512
3b333143a4a8abafdbf01b37122ba1e699fdb5c4bf724e77c2b46699346beda0bc308912539e1775ba561a5721d704c1fbd0a24806f6a40cfcdd057ff225366d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD16.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
213B

MD5
87375e6c0fecd4d71cd27c9d3e735439

SHA1
120cb10d4fe4d2fdcd458dbfadf25fe219d41856

SHA256
fb214b1dc65b0de515c5170c14959d46064ef2963992d1423f6ad7adf5e52f3e

SHA512
41f31919a086948960d5e1c5c07c13b3c301ec69fa4a51453d8b6bf90bc00740d24ca1bb1013131812e0a9f9f53fe500fb23688d5e7573005932d3afad0d8631

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
213B

MD5
5e89b12a90627795b6a25f1002ba77c4

SHA1
98b016086f26e67c25fd63707060f86d1310d6eb

SHA256
1d01cd9cb2c4715a3124838f5e6069195a8554a991f5cfc0f5f7a446f40ed845

SHA512
59ba3e6c612a7e17b130a6aa3c37a8375c9e6a54aa70281b2bb3b01bc11cd582564e1f39ae8c4bcfcc15194abdb7f872f897b83ab6c9ee18af6f3548cf455b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
213B

MD5
ed9756563d3e0508ae1d2bdf428d49ac

SHA1
9a54c371f00c967ef2cc14eb5420ebdb7953289d

SHA256
7bac2a15d64db5938dc2dd18d36c5be64815933b01ff8937b1e1c33480625f15

SHA512
fa93194d2e6731d3dd953d172c7371743ab01a06c7c5a6c0810a9e1802836544c33f83694e96f5ea3578209d4344ee4ba35ec42743b8060a3121ec825e64dd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
213B

MD5
f82d9441655bb4645c7e114b0d3a4577

SHA1
bcb2ccfc11632a0ae6df92a505c331bddd51bafe

SHA256
23b06e44b4074c747feaf384c030f990ba91ba02681e9f9eb6350cb6836ded74

SHA512
8b75ee9ccc1ed561242138d3c1e68d9b891753d520427859e4fbb6ceb64c2ca1c8db536b9155c31466c825a4bb4b9ed562d4dd8cd7f4040a619af1fcbdde3b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
213B

MD5
4593cbf833053feb5fdab0cf0da950b1

SHA1
adb780525025cd724aeb5563edb7f982770dbc7b

SHA256
47413b599a0d98467359edfb2d2918b5edeb4928678f7354bc4e3f0768141819

SHA512
fb771a5f3766e699ace408f312200d71476e3b583ea147a26a676e07764bedafbe54ce475dcd2f18f0adee2f727db91df6ebc3d7c792b1ef56ade43984078610

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
213B

MD5
46f67df68fc3f9c0cb48ab642731f462

SHA1
2937e987cd1c17b82b0c350f2e65dfbdc821a735

SHA256
b7f0013b6795b7ceb1623a064040d26630521b76dcdc518db3c5dc1579dd1d5c

SHA512
576962cbf0c33158585369101524db2f3a2515b231328fc32e868913f8fba61e39740570cb20eb2cc2e474289f147a50b90200fc4f702f7190130613dc121b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
021e2ccafc6dbcc4bab699676f8c697c

SHA1
60bf87b704697afb0e33c0900a7ce487b6817052

SHA256
ecbb185f5d07840f5d2a8f53997391c3e3d852f58a43584e0c882aaac58e4b6e

SHA512
e0a84918c2cb2c64be2fecae997d9c606af53058d0523ffa77a12b63fedb16ae75f619c1dbf344a01dcf0c41518b1c41528cda85a40b19540bf9b630ff3e0876

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1572-439-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1608-559-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1672-56-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2080-200-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2316-140-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2416-260-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2668-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2668-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2668-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2668-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2668-13-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2744-320-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-81-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2788-80-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2980-499-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-41-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download