Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:37

General

  • Target

    JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe

  • Size

    1.3MB

  • MD5

    d29b8c09e76961a7506c3f775fa2b3f0

  • SHA1

    8521dfd680d92707974e8051bf779eace7db02ff

  • SHA256

    601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2

  • SHA512

    815324a33ace3227b7463a875575f9856e42425e1ec472349eb75cb51bb2ec1ebf26bad11384eb48c9e0b0ab04ef5c1115ca7547b69251adfddd2b078e68c6e1

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2224
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2252
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3020
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2448
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2212
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1500
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2052
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1296
            • C:\Users\All Users\Adobe\Updater6\lsm.exe
              "C:\Users\All Users\Adobe\Updater6\lsm.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1396
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
                7⤵
                  PID:2380
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2932
                    • C:\Users\All Users\Adobe\Updater6\lsm.exe
                      "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2084
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
                        9⤵
                          PID:3032
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2172
                            • C:\Users\All Users\Adobe\Updater6\lsm.exe
                              "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1728
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
                                11⤵
                                  PID:1296
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1956
                                    • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                      "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:568
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
                                        13⤵
                                          PID:2556
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1524
                                            • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                              "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2716
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
                                                15⤵
                                                  PID:3044
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2528
                                                    • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                                      "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1696
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
                                                        17⤵
                                                          PID:1348
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1668
                                                            • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                                              "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2140
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
                                                                19⤵
                                                                  PID:1780
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2188
                                                                    • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                                                      "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2412
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
                                                                        21⤵
                                                                          PID:2992
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2060
                                                                            • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                                                              "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:968
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
                                                                                23⤵
                                                                                  PID:2476
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:1984
                                                                                    • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                                                                      "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:692
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
                                                                                        25⤵
                                                                                          PID:2420
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2660
                                                                                            • C:\Users\All Users\Adobe\Updater6\lsm.exe
                                                                                              "C:\Users\All Users\Adobe\Updater6\lsm.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2768
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2068
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2072
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3024
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2864
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1976
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2280
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2440
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2436
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1064
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1848
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1528
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2464
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3008
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2656
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:380
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1160
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2924
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2956
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1832
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2860

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            72011156c20eba01b8291a6c170a01d3

                                            SHA1

                                            7dff963749ebcfe1a91750b756fd471738c6bfc5

                                            SHA256

                                            cb956ea91608e1718d4a8b8fc8a5e9e0e80047e4709d04e5026271575e8c09ce

                                            SHA512

                                            282a0aef32e2b49c3809276d6a699c77f0c156c45ed4b26c90866c414f426551ea5a7f41fee6bf6217edd8b031c5618a8819dd0b3b7ea113ac6c954b4e3096e3

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            071f0681c9b935b22255725eb8327f52

                                            SHA1

                                            3841585ebbe330f31823df510d4ca9bd6f159abd

                                            SHA256

                                            d7a6d4ba062ac5228e7d9e56982a091b52da9ff3f611b8eb1f346b65a41c18f2

                                            SHA512

                                            563c5e465d904a56bffe4d5e76b2569384bb79035f65e80f2cb7030202d9e150792b7cafb574398995cafc9749afa20a698d1247ee9e5d0ae12768bf51d61dce

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            3e50e59bcf726093ec75915a875090fe

                                            SHA1

                                            58b73dbbd36aa06eb69d670ea9b403e8119e9b47

                                            SHA256

                                            ae64686da57b18229ec1b0dcd59e73377c253aea8d3ddbe25b3408c8173d2e28

                                            SHA512

                                            0eed8cc7cfb135182f27c05ac92e09b5ad61b240124f12119e18c6b4ffeca17502a3bf443ccdd63b869fba27bea546d625b6e97ffe9e51807b6e4398e1940654

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            ea3972f0319ee0ce70f88df17829cfc5

                                            SHA1

                                            004ac06d3f016885fd666a9fa4804fd3a966727a

                                            SHA256

                                            978e0d1fe1e819fd57f8cd8cb0a12a10741a0202bab84e8b2c434e9d488941fb

                                            SHA512

                                            ff6e8756fcb80536b4645eabc9a4d0396758b7b5d89e1a773bc1d7341a0843d067eefe440391c915212be6c700cd6c09098a7fb0526e7ebaa345dcee304cd1a5

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            175d55ec76be21705f2d04f05516d97a

                                            SHA1

                                            bc5bf2957d707039aec64dd41c69e64b4c19377a

                                            SHA256

                                            54a33539d6e1ab82afcfd954a74c0d6c49cb64941f08b7311d273a9c7800c9b2

                                            SHA512

                                            ae68bf56e230b37fa04cbb68f546a98020fc3470ee6524f4f56cc027714fc34466d35afdf19e87db53204df750fd6671ea111ace64bfcf29fca05ee6ec812a76

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            1f14d8991d33ff043aaa8ff2638cf57e

                                            SHA1

                                            6df23ffd04f6fbfa95aec4da68f0e1d2768dc64b

                                            SHA256

                                            2f8ca25fceedcca1f4173e8ece5214f358e4d1846c3dfb747f3c8a0c6b421693

                                            SHA512

                                            cc49b0024cb47ca0508e7ef5bf83bcc7cf830f7ed697fac2fbec51626f222e21c642a61f67835dab351d53ad0973372d62976e9cd778376995786315ac9f36d7

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            597386a5d9edcd9ac7102bd28e3fdde7

                                            SHA1

                                            8239378e1fafc7d70c19f6375ead8d8e4b1385c0

                                            SHA256

                                            95f683872b4ee5d737c4ad4e655d29de80584a66ffced602829a609c3f4fe51a

                                            SHA512

                                            3fb31b77b8d3e8eb47c51e5e273f2caae25b6e38963d42b572bd14c7ca85c843490073ce522a7b7e6d69f2e7a537336c3112edb2f88efe403a3da50474e1d83a

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            69cfa586f519e40d58b569ebe3f419ec

                                            SHA1

                                            5b5f209edf398dc333ef43129e7dcb0d5cf3c51f

                                            SHA256

                                            6e9d63be038c03579494fb57f924a9cc71fb791791a62db0cb45bf4564a6a110

                                            SHA512

                                            e1663a03b8126ea99fe0dd3dd90c46c815a3949e03fcde236b6ea211fa41e0bd7f4429715db4bf5fc78c400f7d5eca90d752f40d674f55746b74defc7948831f

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            b18897eb49c8e566a38b94bf1b34feb5

                                            SHA1

                                            4d9506a404c0bd440ecc33eb38d8eee7dac554a1

                                            SHA256

                                            6e759b6444a655ca1dbab898cae3bc1964b013bb6c86bd5ef54e735818c82252

                                            SHA512

                                            97e27a9d22d5b2270cccdcec948549cbab39d6b623c025e27cebaaa3d0de98f66000f4cf9dc9385c1d97c14eeb619b72906330059127680329f08aee370d20f6

                                          • C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

                                            Filesize

                                            206B

                                            MD5

                                            ca85bbd6438bdef8b534077e127a25de

                                            SHA1

                                            9b776294e23a6e1c02856155c8dfd32b4902f255

                                            SHA256

                                            4d08b8cb32053bfa64b4ad799b18f26c9d54fb81d2756e8229fe09f8e9545d7e

                                            SHA512

                                            ac5bad99400c6f2d82fcffdcf2a382240f55ecd3e9e3c9af6186142cce18c806f14ee41c6e32bd022e9935d4c27949094ff7f4c55cc98aafb697666ea90d653b

                                          • C:\Users\Admin\AppData\Local\Temp\CabABBC.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

                                            Filesize

                                            206B

                                            MD5

                                            67bcd060ff9671e83e7db958776150b9

                                            SHA1

                                            70d70957d59c21f8596500eec8b6ab06e61102de

                                            SHA256

                                            95165f093af999f2cf9e195275de5884ef270f09c8a35f2b7db578fd604107a8

                                            SHA512

                                            9b5aa2c4035fa5c4df2e23bb7a575012dfbc03fd999fcd50c0a8cfca5529a5501bfa6a876b2832c385ff4f5215222184918502405f01121e8f460402ab63b364

                                          • C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

                                            Filesize

                                            206B

                                            MD5

                                            206ac31c0d34731ef87f17e02098bd74

                                            SHA1

                                            32899c998a4b0bca710c2dd57fc48efda9b99999

                                            SHA256

                                            ac92409cc6c0afc47decc9ae86a74cdcfee9616f01d18ea539e07d2626bff2b8

                                            SHA512

                                            eb13db08ed3444d04b7481206db8b3b930c8572505342eff2e4b459daba44f5506afc48f72341e0fb749aec1eb163a96e688d714b276f9d8137328cf20244836

                                          • C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

                                            Filesize

                                            206B

                                            MD5

                                            fd26fa14ff632632a191d6051ac73438

                                            SHA1

                                            13309bcd07b568aec659427497b4bb4ad8e03da6

                                            SHA256

                                            43076998229d3af0cab050dad914c6014dc7745ff5dc686a062ef601cafc2f25

                                            SHA512

                                            5d4700e89d99c5036e74c3b8eace9389eea193bf9c521a21ae54cc0c9f896e4f8647648fb922eb518cc03c7d270fd4490ba5da4e98dae32598a7401b6a741f63

                                          • C:\Users\Admin\AppData\Local\Temp\TarABCE.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

                                            Filesize

                                            206B

                                            MD5

                                            41b76755ab0d9e5695d0d809c34fce63

                                            SHA1

                                            8c58b7b6afd9f7679a646084c485506882ed333f

                                            SHA256

                                            29c2057670a05fcba6c284ce25565b563b16f196d6fa3edde47b81740f3cc7a8

                                            SHA512

                                            74e5211089bd716a669f41f03730bcc17cd492abf5a7a0d9147bac1fcc1b4be6694723ebf68de0f0e3dbc897f3f66808f33361ed19ce0128e0d70c16cd986baf

                                          • C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

                                            Filesize

                                            206B

                                            MD5

                                            4e6a37208c3386b6e8f78fd779a9c82d

                                            SHA1

                                            fb431a85454891272ed170e8f526ce99e5a17157

                                            SHA256

                                            14db5a9e06e7607330251ed304300ec2a6c2a787326d4f20f89dad2bbe0ea3f7

                                            SHA512

                                            efa260c0480c97875291f26185d9a550f61f226d78aa99e9b7945c58cb20022ce0e81d9af669e61df5c5640b7d184cf3581ab9d1a9530cb352ea4e915da6e72d

                                          • C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

                                            Filesize

                                            206B

                                            MD5

                                            fdc3749879eb15d20ab8869c2817c4d6

                                            SHA1

                                            c23c5dd9f2f80e95283bf5095c0106d9e5e2335d

                                            SHA256

                                            57ad67b7ac1cca67377612657f35a6dc8fdc1b1d9e134bae8fb2fa5c8977e8d0

                                            SHA512

                                            11a58195999ab9003210c58845529aff9ddfebfcbd577a162b0bbcecd7e203e68098f4b2ab4969a4e1fde851c8dd731d1cf2ad652fdb03dd30bda20618fe6de7

                                          • C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

                                            Filesize

                                            206B

                                            MD5

                                            2e6d88e06cc147ff096112a3a3fd9cc9

                                            SHA1

                                            64fbdc8a8822fa1753da205d981a1a6028bac85b

                                            SHA256

                                            7150c5df5fc595188a23380d75875240f0255a810684d9c07021e07fce2d0220

                                            SHA512

                                            32aa437cbec33b9a612eac955fff1578575c3c532ef4b0031669beabc2b6224e94c51a105894543005b531fbece49fc53190de178a314873c12725160a7898cb

                                          • C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat

                                            Filesize

                                            206B

                                            MD5

                                            1d026124f716e35006a32b4d06670381

                                            SHA1

                                            415473b0db6ae8e3afb3e5603436ff6d101b4d92

                                            SHA256

                                            a2152defbe752f552763167daca0a56a7df5ad23e0afb6f13e4fb1fedda950df

                                            SHA512

                                            98378cac36aaf7f7d44ea1986bac16b27666144e6d43ee0b838c276709361e35a6bade894cc164c9140cde4f364a3d33e33d3b4ac90014e19339432c9a506501

                                          • C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

                                            Filesize

                                            206B

                                            MD5

                                            47257ac8da0867308f0ae0382ce6c04f

                                            SHA1

                                            d3b6ffd62a2df4ec7b385ab51b6d54046410aeb4

                                            SHA256

                                            4e4411fc1c3cc1cdb550953548f7fd459b80a9db87f444852f9a516e0105aeaf

                                            SHA512

                                            b05f7a3a085286dd5c34a208415b88d6f34b9c81c97c1b7f9135000f262df0b96a97945cf4c6376dc9cede87d986daa3cb8bb5768983d49b547985f9261c0ecd

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            545cc32a4a472c759a38193b9df99140

                                            SHA1

                                            c72f90440af3a39778d83e01f6bb24230f753263

                                            SHA256

                                            3cb4bbc72f2926ba78b6615e9747da248ae201022e6c87a04cd729628bd52e76

                                            SHA512

                                            f9bc95fa95cca558138384bcb58c270aa04b3a58e7c23a9adf3774a3c8f028a3d4c0db24d7c08305f2810f9dee6897e0efed951f9cb896e59ad37fb5eae30a39

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/568-319-0x0000000000F40000-0x0000000001050000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/568-320-0x00000000009F0000-0x0000000000A02000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/968-620-0x0000000001160000-0x0000000001270000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1396-139-0x0000000000440000-0x0000000000452000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1396-138-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1412-66-0x000000001B630000-0x000000001B912000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1440-65-0x0000000002290000-0x0000000002298000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1728-259-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2052-112-0x0000000002240000-0x0000000002248000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2052-111-0x000000001B590000-0x000000001B872000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2084-198-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2084-199-0x0000000000980000-0x0000000000992000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2224-67-0x0000000000140000-0x0000000000152000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2412-559-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2412-560-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2640-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2640-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2640-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2640-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2640-13-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2716-380-0x00000000012C0000-0x00000000013D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2716-381-0x0000000000240000-0x0000000000252000-memory.dmp

                                            Filesize

                                            72KB