dcrat | 3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c

Analysis

max time kernel
145s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe
Size

1.3MB
MD5

c66a9f132d6e290dbf382a7f526bf6e0
SHA1

7206028d4bf9077453e67cdffd16d726920d3238
SHA256

3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c
SHA512

0f1dd960e2ff9c98220a3ae504db173fb8b25b2ac26dea56a2793b033e1505ede48f7b0584565040d35a3d3ca8c62fb82bf682551cc005525683b3443077f00c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2936	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-9.dat	dcrat
behavioral1/memory/2740-13-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2128-100-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1044-402-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1200-462-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2348-522-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1812	powershell.exe
1840	powershell.exe
844	powershell.exe
1200	powershell.exe
2380	powershell.exe
2708	powershell.exe
1296	powershell.exe
1156	powershell.exe
1792	powershell.exe
1920	powershell.exe
1524	powershell.exe
1820	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2740	DllCommonsvc.exe
2128	System.exe
2204	System.exe
1856	System.exe
2348	System.exe
2244	System.exe
1044	System.exe
1200	System.exe
2348	System.exe
2364	System.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	cmd.exe
3056	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
26	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\101b941d020240	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Tasks\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
1056	schtasks.exe
2276	schtasks.exe
2208	schtasks.exe
2436	schtasks.exe
1328	schtasks.exe
2156	schtasks.exe
1520	schtasks.exe
2168	schtasks.exe
884	schtasks.exe
1616	schtasks.exe
1424	schtasks.exe
2076	schtasks.exe
696	schtasks.exe
3048	schtasks.exe
2716	schtasks.exe
2360	schtasks.exe
2184	schtasks.exe
1196	schtasks.exe
2624	schtasks.exe
1060	schtasks.exe
2804	schtasks.exe
1252	schtasks.exe
984	schtasks.exe
2924	schtasks.exe
2244	schtasks.exe
2592	schtasks.exe
2204	schtasks.exe
2816	schtasks.exe
2560	schtasks.exe
1816	schtasks.exe
1500	schtasks.exe
1320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2740	DllCommonsvc.exe
1820	powershell.exe
844	powershell.exe
2708	powershell.exe
2380	powershell.exe
1812	powershell.exe
1792	powershell.exe
1156	powershell.exe
1920	powershell.exe
1524	powershell.exe
1840	powershell.exe
1200	powershell.exe
1296	powershell.exe
2128	System.exe
2204	System.exe
1856	System.exe
2348	System.exe
2244	System.exe
1044	System.exe
1200	System.exe
2348	System.exe
2364	System.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	DllCommonsvc.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2128	System.exe
Token: SeDebugPrivilege	2204	System.exe
Token: SeDebugPrivilege	1856	System.exe
Token: SeDebugPrivilege	2348	System.exe
Token: SeDebugPrivilege	2244	System.exe
Token: SeDebugPrivilege	1044	System.exe
Token: SeDebugPrivilege	1200	System.exe
Token: SeDebugPrivilege	2348	System.exe
Token: SeDebugPrivilege	2364	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2840	2344	JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe	30
PID 2344 wrote to memory of 2840	2344	JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe	30
PID 2344 wrote to memory of 2840	2344	JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe	30
PID 2344 wrote to memory of 2840	2344	JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe	30
PID 2840 wrote to memory of 3056	2840	WScript.exe	31
PID 2840 wrote to memory of 3056	2840	WScript.exe	31
PID 2840 wrote to memory of 3056	2840	WScript.exe	31
PID 2840 wrote to memory of 3056	2840	WScript.exe	31
PID 3056 wrote to memory of 2740	3056	cmd.exe	33
PID 3056 wrote to memory of 2740	3056	cmd.exe	33
PID 3056 wrote to memory of 2740	3056	cmd.exe	33
PID 3056 wrote to memory of 2740	3056	cmd.exe	33
PID 2740 wrote to memory of 2380	2740	DllCommonsvc.exe	68
PID 2740 wrote to memory of 2380	2740	DllCommonsvc.exe	68
PID 2740 wrote to memory of 2380	2740	DllCommonsvc.exe	68
PID 2740 wrote to memory of 2708	2740	DllCommonsvc.exe	69
PID 2740 wrote to memory of 2708	2740	DllCommonsvc.exe	69
PID 2740 wrote to memory of 2708	2740	DllCommonsvc.exe	69
PID 2740 wrote to memory of 1524	2740	DllCommonsvc.exe	70
PID 2740 wrote to memory of 1524	2740	DllCommonsvc.exe	70
PID 2740 wrote to memory of 1524	2740	DllCommonsvc.exe	70
PID 2740 wrote to memory of 1820	2740	DllCommonsvc.exe	71
PID 2740 wrote to memory of 1820	2740	DllCommonsvc.exe	71
PID 2740 wrote to memory of 1820	2740	DllCommonsvc.exe	71
PID 2740 wrote to memory of 1812	2740	DllCommonsvc.exe	72
PID 2740 wrote to memory of 1812	2740	DllCommonsvc.exe	72
PID 2740 wrote to memory of 1812	2740	DllCommonsvc.exe	72
PID 2740 wrote to memory of 1840	2740	DllCommonsvc.exe	73
PID 2740 wrote to memory of 1840	2740	DllCommonsvc.exe	73
PID 2740 wrote to memory of 1840	2740	DllCommonsvc.exe	73
PID 2740 wrote to memory of 1296	2740	DllCommonsvc.exe	74
PID 2740 wrote to memory of 1296	2740	DllCommonsvc.exe	74
PID 2740 wrote to memory of 1296	2740	DllCommonsvc.exe	74
PID 2740 wrote to memory of 1156	2740	DllCommonsvc.exe	75
PID 2740 wrote to memory of 1156	2740	DllCommonsvc.exe	75
PID 2740 wrote to memory of 1156	2740	DllCommonsvc.exe	75
PID 2740 wrote to memory of 1792	2740	DllCommonsvc.exe	76
PID 2740 wrote to memory of 1792	2740	DllCommonsvc.exe	76
PID 2740 wrote to memory of 1792	2740	DllCommonsvc.exe	76
PID 2740 wrote to memory of 844	2740	DllCommonsvc.exe	77
PID 2740 wrote to memory of 844	2740	DllCommonsvc.exe	77
PID 2740 wrote to memory of 844	2740	DllCommonsvc.exe	77
PID 2740 wrote to memory of 1200	2740	DllCommonsvc.exe	78
PID 2740 wrote to memory of 1200	2740	DllCommonsvc.exe	78
PID 2740 wrote to memory of 1200	2740	DllCommonsvc.exe	78
PID 2740 wrote to memory of 1920	2740	DllCommonsvc.exe	79
PID 2740 wrote to memory of 1920	2740	DllCommonsvc.exe	79
PID 2740 wrote to memory of 1920	2740	DllCommonsvc.exe	79
PID 2740 wrote to memory of 2128	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 2128	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 2128	2740	DllCommonsvc.exe	92
PID 2128 wrote to memory of 3032	2128	System.exe	93
PID 2128 wrote to memory of 3032	2128	System.exe	93
PID 2128 wrote to memory of 3032	2128	System.exe	93
PID 3032 wrote to memory of 608	3032	cmd.exe	95
PID 3032 wrote to memory of 608	3032	cmd.exe	95
PID 3032 wrote to memory of 608	3032	cmd.exe	95
PID 3032 wrote to memory of 2204	3032	cmd.exe	96
PID 3032 wrote to memory of 2204	3032	cmd.exe	96
PID 3032 wrote to memory of 2204	3032	cmd.exe	96
PID 2204 wrote to memory of 2080	2204	System.exe	97
PID 2204 wrote to memory of 2080	2204	System.exe	97
PID 2204 wrote to memory of 2080	2204	System.exe	97
PID 2080 wrote to memory of 2588	2080	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3083ffd13100bac408b485d6bf027b1dbb66d489045cd628582b575f3585189c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:608
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2588
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
        10⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3044
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        12⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1876
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXy3H03RZr.bat"
        14⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2388
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        16⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2432
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        18⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2612
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        20⤵
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1936
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc733cc5e7c9de3d8495a997f06a169a

SHA1
ea9fd02554108bd10d7be4e3a838ba2951803232

SHA256
21f6345df18b3b435fe2cd04d3ee86eb216f0a64da6ad3f6d4ae8c7d89f057f8

SHA512
dedbac4270929c085b4735c22e880ab6747881fe75066aa12fe1525552b35043301bab7ca52395b21f850d66d096ca09eef27f16799f10546474bf8f460890ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2ea0be2dbc72d685220942b63a1d6f

SHA1
d0ad6eefa28f88ee88201ffd8c8ca1eb1690abc1

SHA256
110481f60fe42dce33ed00a4d9a83e92d4f45548606daee0547f663a0b8321ef

SHA512
091fa8d4ec551f922835da5f8d18f9baf163060f2b000961f5505971a61c7997611f7da2abd183715191a062a1cfb224e27be9e5c3571c670c4cb4c4f30deb93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40bbb59689a99682394b5228152e40c9

SHA1
cc0550cd9c36b1ae4be43f3425704af74c3e23d1

SHA256
b2cc9dbe2ba3f19c2bab67597313dfab53633c1aaf43603279a97dfdab46195f

SHA512
1c42fcf6058759509eda3d9db37b81562115d7da033981e8ab3b3a6ddff691ee384bd5024607e2cdaead0d69d39d7a7b5db4a139ed994a0b0809d6bef708d67c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4778f724ac4839041814e719fb255a37

SHA1
f0803db14a18c6b6026dc024da4048fc4ede8275

SHA256
bcc27288749cea3321c0e49f5ac1a42b19beff259287134473db29211731f2cb

SHA512
6b0b3f58181b7f6181ee2fe478118799adaa2a9cee21cf6414790a10e6ca95bc7a1eff50f8795a3e201868d3e6954573923a00a488786a899a574104faeb948c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2778455d4e5c16d6a55deaf9dceac7f

SHA1
6b7dbfa7822eb31141e1069e3eabdc2a59d10fce

SHA256
e1f2930e12c7a275309fc676e40a438e8c0da85fd3a346425e70d165a88f95c1

SHA512
2b1e623bed52423f7987ec5e76a012232d70a3f493149e378f2e871abd50e336ed55fe7a17ac7d85c3d4f5e1e0ed4da34172facf73ac37310c8152faef07c4f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
858c0412f3c73594c3cffe6d57158b33

SHA1
a2c5c6a0caeed6bb785388487f8a0e85e2a89547

SHA256
a041ae54b460957d1efa3a350c947f1fb163a06fca4eafd2d9a504f4f5e958d5

SHA512
db9c6d31ecac7210cf804aa64b325a01fb0b4f77d580878c4adbc3d0ad5775a203520687c1fbb8eef064e56f00ec08c606b85da1028f0af76736fc89b8f07ab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a4e3cac03ceefefa73a359eb24865ff

SHA1
e3bcca9f28d576f1497d2c55d37aa7e0a6b7c245

SHA256
adfa9604a5e7dfbb5f8009ab3d870691065168b80b13b2a1df05f795dcf5d2bd

SHA512
7f9bb511da42b9a1dd4371622fae0f91f4da4b324a767f48df30c81072be1bf1408df435f48ae38645cc9e86938957957d65eee07870ce2f9c4777227dd4aee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
219B

MD5
4e2ec3d07820a79f33860a23536ff6ea

SHA1
9fa3e848b60b8d4dd83098f19612eecde7baa95c

SHA256
5df9da097a253cb34ec0a8c5255287d63431ce4c0f0e7653cefcbc71f48cc852

SHA512
c9ebcc97e78c77487cf061f17d9db045646dc1c3cbf1bbad91cb807bf58eabbe4613d95bfbe7353865be3b47d887d26474be39332a2e924c7959365218b7194f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
219B

MD5
a8c24bd08cb67e00a5475d67d61ad9f0

SHA1
069b4f2033f6ca626977f0ad78477d57b7a7da6c

SHA256
9705a1976ab208c2fd8109f1123d34c73708d5e4d069ec6f2e7bd1a4f4585efb

SHA512
d815a203a326b6706ca43c24ac2ee2939c7716a0d7fa75c5117edfdc02c700f4d2d2c6ab9b9bf1900972008e586172175d705e8e0b83a2a74ccb468370537777

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46C2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

Filesize
219B

MD5
34575dbf42262e8f8103af178f0b0517

SHA1
ec72d2ae59bb9a9c80d8e67e5f77250e5a39aaa4

SHA256
7f2ca2ff8e4d5305561c6f104b2555df892388c5cdca07f9f14bfdfc6b0332f2

SHA512
18431237570acb0b62460c404aab9bc619f3fce20f8f56ca6c9d31a29962e38fbcc075cc8e487c9b76da12e77c215c4e1d2777531e0508c366d56361ad5c0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4723.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat

Filesize
219B

MD5
73784d72331ee9e5b6427bcf5d6dfc8a

SHA1
49d53f58516482b5a4f0d33689177a78364da9f3

SHA256
427eb714205abd7cf2d8cca8640587917192f5e9c16272acd33b8c95b6800dea

SHA512
d502d758821c4e3108e5e6a657a7d9268aaeb8c0b8ed54621deb3fafa5107a9fe298aa104eea7576fa80d816dbdabebbf722a4dc1ef304c8b92ebdf88ca57361

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
219B

MD5
a5af1bb6d106dc613f740df9a5640850

SHA1
dc51b95e4d155215944b12c388b08af5e8bbb034

SHA256
7e1660c048a4e3fc0e485aa153dd1f538ea8279d18492f22f53f20d8b1ccf913

SHA512
ddf4af7c84681df3f6d77c75d3dfb5424b39878e8a9976d47fd8aaa349778b81cc257819e516c10a38e09fa2883843b807689572582f7be894ab2770b5f1ab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
219B

MD5
f7ed7b1b5057c0287d02966e8822a952

SHA1
d8cdae4bdad259a190a4af88406fd93a70a1fbca

SHA256
bb6a00de669f8490dd4149b82ca0fe6d51f59fbf85e7f0c34b8bf72f32da61ae

SHA512
38e01fec9b5cf80e088169b8896a38b32ef987de2106c312dcd39790b51ca1169307a44b58ec15728d1a8eb64ddacb2a21e3226ffb8a904fd49523f54ef0ab82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
219B

MD5
f802bc58afe20e7f2f6c7349ae355187

SHA1
3bcc7ba80a368db8319ce319f1848f7559bb4d5f

SHA256
5319a797a8531e1e336dd2c24930c64b07f566b07c31e6f953e8d4a55b7e8821

SHA512
81c41c93521e55e32643e9fdc95955bb15088bfe49cb93ee216d8d31c5452c714dd9444dfb2034e360e30cda3db9de9d6ef620d547fa7f68e6a27a88df78e486

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXy3H03RZr.bat

Filesize
219B

MD5
a589abc951eb37280fda79e87c19bdd5

SHA1
4fa5c9eac6997a037e40361a847e05320741b4d8

SHA256
bc697f6191c7487948dedfc12c2b3db3d4349fb51f03fead1674c761649de494

SHA512
c3609c2bcc8de2c3dc52ad9d769f5b4225775867edb1d765434b3d7a3253e2bdd7f0022f86056adca44d657f8ae5cdba77d6e71aba9adab17c660bb68da2d066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8b8111d8fd3ac8a587f32c2ec8708a01

SHA1
2fe3b6322d616f124ac2c5fef79d328c1231fa37

SHA256
e63ec09a16bc4df39a27f252079982a554d4198ee729d595699be0a2c8ff0372

SHA512
144bfecfb33099d03839a3b26b0957b585fb1775500a8c73ef016f6665531e51c90b4d609dae17ea29c3dbdf0952121507a894ffaa725d900c7643344b27547b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1044-402-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1156-94-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1200-462-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1820-68-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1856-222-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2128-100-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2244-342-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2348-282-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2348-522-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2740-16-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2740-17-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/2740-15-0x0000000002050000-0x000000000205C000-memory.dmp

Filesize
48KB

Download
memory/2740-14-0x0000000001FE0000-0x0000000001FF2000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download