dcrat | ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe
Size

1.3MB
MD5

1d0f92131d446bb757559c0715a0116e
SHA1

22abe0fe9aa3091f852c19e4de0b570bc63a6aa5
SHA256

ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee
SHA512

31b428acc3d01a47b31c21775c956a4aeafd2ce555c26ac950e8a928815002d2597a8caa9c116f2fad389042d8537344ce57a93cce67e7a5b8774b4600e35e43
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2916	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-9.dat	dcrat
behavioral1/memory/2884-13-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/3052-46-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/2860-227-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2332-287-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1364-347-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/348-407-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2172-467-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/2768-527-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/2340-587-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
2392	powershell.exe
1784	powershell.exe
952	powershell.exe
1636	powershell.exe
856	powershell.exe
672	powershell.exe
1936	powershell.exe
1036	powershell.exe
2988	powershell.exe
1812	powershell.exe
908	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2884	DllCommonsvc.exe
3052	System.exe
2752	System.exe
3068	System.exe
2860	System.exe
2332	System.exe
1364	System.exe
348	System.exe
2172	System.exe
2768	System.exe
2340	System.exe
2552	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
30	raw.githubusercontent.com
9	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
696	schtasks.exe
280	schtasks.exe
2692	schtasks.exe
2968	schtasks.exe
3020	schtasks.exe
1300	schtasks.exe
2128	schtasks.exe
2660	schtasks.exe
2112	schtasks.exe
1720	schtasks.exe
2704	schtasks.exe
2764	schtasks.exe
1048	schtasks.exe
1560	schtasks.exe
2428	schtasks.exe
1880	schtasks.exe
2404	schtasks.exe
2348	schtasks.exe
1364	schtasks.exe
1984	schtasks.exe
2024	schtasks.exe
1328	schtasks.exe
2616	schtasks.exe
1240	schtasks.exe
1444	schtasks.exe
2068	schtasks.exe
404	schtasks.exe
2040	schtasks.exe
1996	schtasks.exe
484	schtasks.exe
2060	schtasks.exe
1840	schtasks.exe
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2884	DllCommonsvc.exe
2392	powershell.exe
1936	powershell.exe
952	powershell.exe
672	powershell.exe
1956	powershell.exe
3052	System.exe
2988	powershell.exe
1812	powershell.exe
1636	powershell.exe
1036	powershell.exe
1784	powershell.exe
856	powershell.exe
908	powershell.exe
2752	System.exe
2860	System.exe
2332	System.exe
1364	System.exe
348	System.exe
2172	System.exe
2768	System.exe
2340	System.exe
2552	System.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	DllCommonsvc.exe
Token: SeDebugPrivilege	3052	System.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2752	System.exe
Token: SeDebugPrivilege	2860	System.exe
Token: SeDebugPrivilege	2332	System.exe
Token: SeDebugPrivilege	1364	System.exe
Token: SeDebugPrivilege	348	System.exe
Token: SeDebugPrivilege	2172	System.exe
Token: SeDebugPrivilege	2768	System.exe
Token: SeDebugPrivilege	2340	System.exe
Token: SeDebugPrivilege	2552	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2084	1712	JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe	30
PID 1712 wrote to memory of 2084	1712	JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe	30
PID 1712 wrote to memory of 2084	1712	JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe	30
PID 1712 wrote to memory of 2084	1712	JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe	30
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2884 wrote to memory of 672	2884	DllCommonsvc.exe	68
PID 2884 wrote to memory of 672	2884	DllCommonsvc.exe	68
PID 2884 wrote to memory of 672	2884	DllCommonsvc.exe	68
PID 2884 wrote to memory of 1936	2884	DllCommonsvc.exe	69
PID 2884 wrote to memory of 1936	2884	DllCommonsvc.exe	69
PID 2884 wrote to memory of 1936	2884	DllCommonsvc.exe	69
PID 2884 wrote to memory of 1956	2884	DllCommonsvc.exe	70
PID 2884 wrote to memory of 1956	2884	DllCommonsvc.exe	70
PID 2884 wrote to memory of 1956	2884	DllCommonsvc.exe	70
PID 2884 wrote to memory of 2392	2884	DllCommonsvc.exe	72
PID 2884 wrote to memory of 2392	2884	DllCommonsvc.exe	72
PID 2884 wrote to memory of 2392	2884	DllCommonsvc.exe	72
PID 2884 wrote to memory of 1784	2884	DllCommonsvc.exe	73
PID 2884 wrote to memory of 1784	2884	DllCommonsvc.exe	73
PID 2884 wrote to memory of 1784	2884	DllCommonsvc.exe	73
PID 2884 wrote to memory of 1636	2884	DllCommonsvc.exe	74
PID 2884 wrote to memory of 1636	2884	DllCommonsvc.exe	74
PID 2884 wrote to memory of 1636	2884	DllCommonsvc.exe	74
PID 2884 wrote to memory of 1036	2884	DllCommonsvc.exe	75
PID 2884 wrote to memory of 1036	2884	DllCommonsvc.exe	75
PID 2884 wrote to memory of 1036	2884	DllCommonsvc.exe	75
PID 2884 wrote to memory of 952	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 952	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 952	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 908	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 908	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 908	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 1812	2884	DllCommonsvc.exe	81
PID 2884 wrote to memory of 1812	2884	DllCommonsvc.exe	81
PID 2884 wrote to memory of 1812	2884	DllCommonsvc.exe	81
PID 2884 wrote to memory of 2988	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 2988	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 2988	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 856	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 856	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 856	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 3052	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 3052	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 3052	2884	DllCommonsvc.exe	90
PID 3052 wrote to memory of 2656	3052	System.exe	94
PID 3052 wrote to memory of 2656	3052	System.exe	94
PID 3052 wrote to memory of 2656	3052	System.exe	94
PID 2656 wrote to memory of 1312	2656	cmd.exe	96
PID 2656 wrote to memory of 1312	2656	cmd.exe	96
PID 2656 wrote to memory of 1312	2656	cmd.exe	96
PID 2656 wrote to memory of 2752	2656	cmd.exe	97
PID 2656 wrote to memory of 2752	2656	cmd.exe	97
PID 2656 wrote to memory of 2752	2656	cmd.exe	97
PID 2752 wrote to memory of 1724	2752	System.exe	98
PID 2752 wrote to memory of 1724	2752	System.exe	98
PID 2752 wrote to memory of 1724	2752	System.exe	98
PID 1724 wrote to memory of 2340	1724	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
    - - C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1312
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2340
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        9⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
        10⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        12⤵
        
        PID:1832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1756
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        14⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1412
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        16⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2292
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
        18⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        20⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        22⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2752
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"
        24⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1164
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfd69a573d1c2f58fc7100b948b1b95c

SHA1
524bddb5fa379db4e67c612f9b42c046c3690aef

SHA256
7b4d159b47f022ca99ecf558a97de3aaa997aa92470f23e7fb83488279ae56cd

SHA512
bd7116a3b04110ee21ad59e24b8135ae4d449eba845b2bf28d10281cdec0ca2f10d89bb7b8e1630ff01fd56d23004b4fda82db5b192027fb3eed0673f649a2ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
469c6a4c58e7909182bf39d02c661244

SHA1
d28a257cd69328ab280f869d7e86d717ace0dab7

SHA256
83af6f893d3c5df443903bcecb4671d54600f1e65fb5aaec260355718fccea83

SHA512
844aeb5d3d02a5cd7b70950d304b09f2970a33b00c92f7fb70dd68ccfe7651f727dc0a75f932728b034fb0e2e2c8f16dc7deee734ecded6d357ec7f5c7eda043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f67ce3071a3c5b120af86c7bb68012f

SHA1
1d3b62a4fcbea0001d50d4738398ce2c714c89bf

SHA256
eed18ee06e35aa797d8a12623831e0e002c3b897a6f707f0d8b2f93dab6047f3

SHA512
20c242c4e81d546bcb607f2b492b0b0378a920db17bdb248f0b9c8c1053c2f874e47636d25731265ea686d9a475207c2ed7763b451652f92eb478b4e7fd75939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef0230e4ceca39131f86e05bbbd802c3

SHA1
6d26eeac816b64b8c1ac7aa21cd3b86044260611

SHA256
d049e1f0403d7ab8db2ac82e3c49580aa1809aefddcfe75eb7167821aeedc619

SHA512
20e9cb931d3b44baeed568708e8429c9d692bf725969be8d12b4ec73e6e2534369ea69bc9f8906cd9abd67af0bb9bda6cfe2afaf688acc6932158819b763c362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f83112aac2a2f9e4a6917655287d7c90

SHA1
509a7c870ba6fb30e53e3cbe26b9207ce08ffa7e

SHA256
b3f4e050730fc24d70c065d2fc60f1fc91172afe2d313dbe6162ab25d5e03801

SHA512
57f690cd14d525321fc8f367496e190e1205118b26e4823f1d5848f04a1e39b24e11083c03cca62f5d54359eac7d1b022c2a493ca49d441f457fa74fbfd673e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
672dd46118edebadafdfc8eaa41e4536

SHA1
1912e54e595c4634ba7c4c34af5ba7417523a62e

SHA256
e00eaff515a51c8e8f5a4b3bf2ced3939158d892a07321cb0a4e4eb6cbe1f8c1

SHA512
752ba7a6107f7d7f71aea9e5a31c23e5c8a0c3949485567fad6578b667c2050de7751327063abdef302b6f130735c8b828ba208f990b4838162af5900f50508e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe3a718f8fff9d98ae03f4374ab6b9fa

SHA1
fb99179e6ca8787a73c64bb2390df6b772d747e6

SHA256
d7506204ad6da0aef784332d9ea5766155e87502c27dc1438312663190f460f5

SHA512
b920601de47d59e1e8c7295d197db4ef50299c47aaace279e15b42d6c0dbc6f33421f4d03ed9d8efde26835a1c4ecd53465f5e9f1c61647fa089e9df151e4a5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e00614ad905b42f6acdcbb41481291

SHA1
5849ee21c9192754ce0fcaeab0211685c6c702b3

SHA256
c3416134ca7bc987ae2ffa8de496ae48e13da7d2772a8da8d4cf48d330550df8

SHA512
9260db75225d88d463bbd28b838fe2c06a56458bfcdec2550711732992ff599a9a5c8f1e33fc1c9535aae7b2fe7c31007ca44bde870222e97b74307e8c6005ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6B0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
230B

MD5
bb44981750ee5a8e32ff70b5bba34775

SHA1
ba0cb782bcc425513415fd3850b271a04edf0d60

SHA256
46d779818f50c6fdee8947df635b29fb08165b3e1ef6fc2a08d021ba08387791

SHA512
d2b99f3b94482093cb110967008abe2d186c1f5678ed7b60f6ce1b9dee08d49cec304fc6f5cbf580d1611bf00ef83afa44840dce3055ec4547c90abf58f9b819

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
230B

MD5
7f4102e778d360dff9d2976c6d5bd959

SHA1
a7cd03218def4031f1e9fe9f92ab20aac765871e

SHA256
57b84cd5672a765cdc9d02a83347134511bc2ee7540d7a82a1aab68127c0733e

SHA512
b14e9a3655a043956382ec36f72e49727d79f5dd7c679bebaf2f607f5aafc35963898c34972f23ab38880c2b804eddc6992c5da9e14bb6ecc627c260c59638de

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
230B

MD5
8806289a15d3a4e7c4ad80afc3d3759d

SHA1
2f17c7e79d237d9f3c7c4d6d28eb1694a4758059

SHA256
b4338f1315079043321fbbbd6240cc248a2de67fe0cfc8cc65a95bdb34107984

SHA512
dfb53356d329db9c5a80487a85bec81c98ea6c3d998ee4e99de48dc33992653047ed46fe0fadceda3c1314cd1cf10fc29b17029a3a10009b41ab772d2c9d58d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
230B

MD5
0f11d53bdfd0070139792f3960dad52a

SHA1
5a323dc12aea0d25e2f6b7aebcfb4f6bb24eb66b

SHA256
6ab6399e53d4996838be6c46b5e449caab2e98259fe9d00bf2eb9109f75bef9f

SHA512
d92e96daf8cd7e5d913e9a551385cddbb54e91cb55edbe3bc2fafa41fe35b8d8b4e4a586b890e23e4ccb622d50f2759a64aaf5bdcfaa0d4a45d54ffcc9a5f76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

Filesize
230B

MD5
dcd8525ab9fc536b749e28756f16b077

SHA1
4309618d599fa44e3d18960a892be14f4babe3dd

SHA256
79c951524a2f1ccd000eaf63b340873a28495fabe0d6ab9be6fddf72a58ed144

SHA512
d8c9c3e22a7c920fcf41c3ea322f34c1c3eaaaedee9d7bdc8e51923d539ab91adc5fab15c91d7c1feadecd5c3f31777f564d963ee3f7894884353dfe4743e213

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
230B

MD5
7d1dafcc3e914ec2501a454ba0cb0ad2

SHA1
e0a340af7729c6fafc07b29f22fdb9fcc4314b03

SHA256
66c27aeb43c2664a3d4175e3ab21abbc72cb545d38d407d9b0ae94421c7a416b

SHA512
4de2df970a9dec9e639083fedfe17f496aa9e4e8a9d3ac288fd5b5f7e77a83bb63bdcc1023ce9dab47899c0c26fc3f66643716c8fa23eafaa4b5e36cdc006893

Download Submit
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

Filesize
230B

MD5
b1795ebfacc917332e158e0099cc34f2

SHA1
a9b5b7bf3e1361366fb13ab48bc9db05e5e47437

SHA256
dae83c92781108db02e4d05a4d710b694ac2a8e863221a2728714cc4ae0df0c7

SHA512
ae2ceadc3645ea433c7eba6a05bbbe3e0a210724083272189fbdd3732931126c0d25ac9ce57cb2707f156bbdaef829c60f3b5d52eaa53007cdeb212d1713fcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat

Filesize
230B

MD5
035c96d36c1001f0fcc23045bff831bd

SHA1
b217e1be43b383fbfee462cd3c03568f6949b46d

SHA256
9a2581b33743a7a3da519f5530fac8de17e6bbccc41a06b2d2d4d8e44bd4b282

SHA512
db1204a70cf75e585a749613e282a980f1bd7cf568acc8b6127ad3870b03083dde96c2cbce6e0271a8078ec22f28b0d54ad41e0608da308cb8db6a015ec9688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
230B

MD5
1581c58e4dcc47766a49a15a60e6cc1f

SHA1
c5762e2f0e7267ed000e7ab5ab2bb95cd0826158

SHA256
1e52437b8a8c96997975986df8b00cd10dd59bf0e5368e149a81cb4c460dcfcd

SHA512
e1952d630fb963df1cf8d7420c4738b6f40df60e545e9c3f79e1273096be2e2f31d8b1896a5cc05b07ce9e52d5f759cd682d46a47015ed679898c62310345ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ac3ed321a5e121a5ba9101332f3fdcf

SHA1
1094dbb4d8e97e22168a67ee4e419f93e541a03c

SHA256
42cad9c7ec55ad5ad716454a00999e3e37a0fd47587fd442bf0d6e87193520cd

SHA512
e13c02e1e5f9f1bdca34b318e59cf7f9f65f9752e5be04b7bf0bb86a617d541305d8730fc1108d1768c3d4322171df62c0f963b06a3e194d2e343ea457df7ded

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/348-407-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1364-347-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/2172-467-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2332-287-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2340-587-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2392-77-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2392-76-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2552-647-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2768-527-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/2860-227-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2884-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2884-13-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/2884-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2884-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2884-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/3052-46-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download