Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:49

General

  • Target

    JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe

  • Size

    1.3MB

  • MD5

    15989978bbe2bbdd23cbf964eb530285

  • SHA1

    dd6827e0785ef07ec8a53cc06fe4e632851878ac

  • SHA256

    75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07

  • SHA512

    9f81232ef8293eda6b4429fbe022e176cda1fe2d9ccf65fc5efd30ad6f7b8de25368923a99a3a0d666b6edc97377ee6ed590327a2195f859b2e7d2f79671162e

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2436
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2756
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JmnsDPSvSt.bat"
            5⤵
              PID:888
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2128
                • C:\providercommon\wininit.exe
                  "C:\providercommon\wininit.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2508
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
                    7⤵
                      PID:1780
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:1760
                        • C:\providercommon\wininit.exe
                          "C:\providercommon\wininit.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:760
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
                            9⤵
                              PID:1304
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2688
                                • C:\providercommon\wininit.exe
                                  "C:\providercommon\wininit.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:744
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
                                    11⤵
                                      PID:1352
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:1848
                                        • C:\providercommon\wininit.exe
                                          "C:\providercommon\wininit.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1968
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
                                            13⤵
                                              PID:2192
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:1716
                                                • C:\providercommon\wininit.exe
                                                  "C:\providercommon\wininit.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2508
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
                                                    15⤵
                                                      PID:1012
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:3048
                                                        • C:\providercommon\wininit.exe
                                                          "C:\providercommon\wininit.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2060
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
                                                            17⤵
                                                              PID:288
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2080
                                                                • C:\providercommon\wininit.exe
                                                                  "C:\providercommon\wininit.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2608
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
                                                                    19⤵
                                                                      PID:2136
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:2672
                                                                        • C:\providercommon\wininit.exe
                                                                          "C:\providercommon\wininit.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1492
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
                                                                            21⤵
                                                                              PID:2348
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:632
                                                                                • C:\providercommon\wininit.exe
                                                                                  "C:\providercommon\wininit.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1804
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
                                                                                    23⤵
                                                                                      PID:2660
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:1668
                                                                                        • C:\providercommon\wininit.exe
                                                                                          "C:\providercommon\wininit.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:792
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2792
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2236
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1352
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1160
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2172
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2612
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3016
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2400
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1224
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2044
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2184
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1588
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2080
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:524
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1508
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:756
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2008
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1248
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1480
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:740
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2100
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2340
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:700

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            bd1f4112c88840524e388855f5f93b5a

                                            SHA1

                                            208d83908b8806c0b275c6566f729653fc59d7f0

                                            SHA256

                                            c81ab17344cebea79df814825942c0c10d2b0185c454c8cad03aedbb64d1816e

                                            SHA512

                                            d6f141c90d1d9dabde5168b5e5c294b7e6f817e71d8936a57de940e117f37af4b99e4e23d08bbcf8af89cebd3bee1c25734f2be0d086eb0e8bb906e376e53c8f

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            162f595bd444716c0ba73265f2f69de5

                                            SHA1

                                            cd098015706f32692c38f54d81e778edaca1322e

                                            SHA256

                                            da8a300b983a7ae2c879e4f91461efbc069662a55218f3c3f67878458fe8e2c0

                                            SHA512

                                            bb8c427907970d72517a714cf219fd587175f98814bc50bb60c05bc4e57e84bf29a99a31f0901dedff23dc91b9880852447b61dadad81a7d28bf76de2eaf0a44

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            92d076b349466caec25f3e7966686258

                                            SHA1

                                            d80f662f444f6bd80acf9b8282b3b4a26796027a

                                            SHA256

                                            98715a64f13bbb1c4f69f8c6892e1cd4bb1f79d82c4838734bf0c651b6ca0ff0

                                            SHA512

                                            4aef7493dcc255d6b1cfa1aea10019a98376c13740cdc24ffcc63c77d5140bc65c98020132a94eff92c4b4d912a0fa6bae7ecbbfe9552aa1b4895c3991a72db8

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            44dacf91e6f0358390be7b3436e38a40

                                            SHA1

                                            e13c0a9aa78f4b6310cdc49b8a84e1de376c8901

                                            SHA256

                                            1f367976d45d4a33db62151c3e80ec355abd905e8c6ed3e475e4deb6ea3283bc

                                            SHA512

                                            40318fc5be226057555696b08f6ba3e5db1dade86ecc0dd4548ca5db94f695a9f5a919a0a3dd9c1ae3c4869009b141e6b7626be08a4bdba2d2ed30cf48623b20

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            6dd3b88c238fd48f143f8bf055972210

                                            SHA1

                                            d85411358598dd746356c7e878156cdada4a7017

                                            SHA256

                                            afd7265899702cbcedb17fc8c74bcb899e4fb1cd3064815215fed40d2546c963

                                            SHA512

                                            be0f45b612f3b20bafd01c56cf354abb0a652c9a239871223a9b37615466f4197a36f855ef9661fda68cb3ebd3314ba0c73b87ebe4b10890718021fde98a5aed

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            930b07fd58e4b06fb5c8e0030f1ff759

                                            SHA1

                                            51ab6881e57f49b110d59700b24f09dc408c8365

                                            SHA256

                                            70e933c5b743931e1efc4044bbbbbe251e9e9b610d8e99854c257123d83d8a40

                                            SHA512

                                            42c9fa899c9eaf67b457fc04f67b5c58c1d28fc463a83eae357afaa44f44e45f67ab0427ae1b59e2142cb269b1c4f2a83757bf1458332a234c7b86bfb43398be

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            a06e75891f5fd50e5d5784f1d9c1d2ae

                                            SHA1

                                            607fa3094144192c4cd9a47e635543b61db81890

                                            SHA256

                                            89b97f166bddabf36fea3e7d1435b1e7ee154058b61a61de694a2d76138b526a

                                            SHA512

                                            145e3d04449612814438d0ae5f7ee164ed4a5ad4d3392c51e4b0026972e8840a9d6a3962566a899ffad901ec06548dbfe0d58eabf61cdc1f2a4de9283b6188d6

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            82b815d2dabadec1c53f499ece1e8d15

                                            SHA1

                                            fd558519fd4bce2beb7eef452bdafa5115727037

                                            SHA256

                                            320a717be7ff791288c1fdb314462fa1a8295991d5a5e88752da7201fa675ae7

                                            SHA512

                                            2a16a4f3bed5800fec6c18b75e6c19e1ad285303dd7a408deba940f7f88bf4b23d9ace8952f778842ef89d74bff5bbf0cfbbf16bf83cd7e4fe421159ee7414c7

                                          • C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

                                            Filesize

                                            194B

                                            MD5

                                            f0f83fea6035f773b68067c3bdb9a8ea

                                            SHA1

                                            71e0c59978f239427aaa73d0efdd6a7a371759a8

                                            SHA256

                                            96db92bec6b61de365130fb55e972e9d4a95f4f82089d589893fe64078e6cb43

                                            SHA512

                                            3d53480f4fa598a2b0645c4278a661785a1bc37c9dc478a5fafbbe549cc944b79d2bcfb322c07fa7c76c64e6fac46f046eead83a67dfcbd463f35d90205bae31

                                          • C:\Users\Admin\AppData\Local\Temp\Cab5C65.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

                                            Filesize

                                            194B

                                            MD5

                                            c870585ce0733aa6c412970379200657

                                            SHA1

                                            f59dceecab675c3863a23fe28f9d55e73bf39008

                                            SHA256

                                            67c00ab9d671da89ade08766762a56e9b6ab589d583284b7a408b9b49a154c99

                                            SHA512

                                            d080755c7adc91431e9043c80b9e40b481bed683cde7004fe3c8fab6e189956724a611d44f57e40cdd1a2af5528f6d11a2461005b21a43c48991792a1068fc64

                                          • C:\Users\Admin\AppData\Local\Temp\JmnsDPSvSt.bat

                                            Filesize

                                            194B

                                            MD5

                                            74c9637f274e1f916cd362b5add2205b

                                            SHA1

                                            7fe8f4ab3c5264a8575883c3acb62780a59c4570

                                            SHA256

                                            d9b601006bea34374642f39d8e8e834c198cbc912c070d6168d8c88d597c16c5

                                            SHA512

                                            5b9473698ab20c5dde8e0271fa8123fd412a532a68a38d3a3e5b11a349c3c60ca07c049f471c34b5672dfcb2004a38858b134f8e72b7944c1a44175b9a3451c2

                                          • C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

                                            Filesize

                                            194B

                                            MD5

                                            cb9c5f96e709d6a318951479d4d3e0ea

                                            SHA1

                                            a84d7e558231c5bf414e4de72d97f944c6e85ad3

                                            SHA256

                                            94d69ff9295d699de6f22a0326c847948d745ad08960e36d4a5214e5ab7ca482

                                            SHA512

                                            0ef15f41467bf39b5f6b3db8f07dbd8da7725aa31eefb9af8eeaaf5d4cb66a264068ba7c0ccbc04356aa2d87e7f31bc3bb762cf59b2ec520d459b50acb85c522

                                          • C:\Users\Admin\AppData\Local\Temp\Tar5C87.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat

                                            Filesize

                                            194B

                                            MD5

                                            7e539724821506168f16ff9b186ace9b

                                            SHA1

                                            df5cec09abd8e104caa7b1cc07b79f564930f97e

                                            SHA256

                                            2b0a9a1c4f9c5b82d4e3adbcab2ffb5cc5c6a1e25ed714c9bda281e724337e30

                                            SHA512

                                            585d8336de32c72394dac624ae42416f16213b3090649fadc66949616827d68cc0ff032713b055aa7994bd70a33c8b48400096bf90dc93e648dd747a98b2e42b

                                          • C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

                                            Filesize

                                            194B

                                            MD5

                                            f4b4322fecf9012ee29cf2b82483dad3

                                            SHA1

                                            35461f741ee9b04e388d7c4acb726a82d93081b5

                                            SHA256

                                            2b25676c2cbf0435371cdcddb4d4e24099feb8a3092f2db30b16a54976df9dc9

                                            SHA512

                                            1510b653ec98f0f9611624ad52de7c003d1bae1e52b881183daaaeb670b30dda07b4e17aeddcdcd5e5f430d14c5ac3438946e14a5c0992f5c59b2589450c1020

                                          • C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

                                            Filesize

                                            194B

                                            MD5

                                            7622b751649aac6f4133407beb171253

                                            SHA1

                                            0fecb57e8869a4df6fd9462da57dfe09d27cf845

                                            SHA256

                                            3894fcd0d34482a111308db3f324f8af8572fb7f141a14da0af43be0f9cd4684

                                            SHA512

                                            bb1131b372c38ee4171daae4e0353fd35b7c542a73b1e8f393e3deadb263200c368d1eec0fe41f1da3dc876d28663b3f31fc372c06cc39dc547162490939eb41

                                          • C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

                                            Filesize

                                            194B

                                            MD5

                                            212d77c1e9a1dd20a238d07686bb9140

                                            SHA1

                                            69bf19fa781f2f5daa95740532687d61690b7f77

                                            SHA256

                                            41440039a39519c3fdf49b76907ebc9e6107dc55a677746697762c489d596394

                                            SHA512

                                            accf70f6f28df1dd5027b3c3840301b9a87c44bc0e288deebb4cb2da621e26dde2137e5498ba4a4cbda0c364de9cc384c0e5d72886e6e345571a89bef0201310

                                          • C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

                                            Filesize

                                            194B

                                            MD5

                                            db0722ae233b477f453cfe32261f538b

                                            SHA1

                                            9ed82dbe839a1e49e1bc76bba19d64e5521857ec

                                            SHA256

                                            634fc16dfc78423976eafb1336b2d6a0e2104bb147d7450e975281372b303ee9

                                            SHA512

                                            4f7cca8369d6e0c1f715879670ee04ee4a9a2742f534048c257cc1ba3535c21350c7130020b972139dc482e494c859543376705eeb27f527b9e793578a2ffbe0

                                          • C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

                                            Filesize

                                            194B

                                            MD5

                                            edef8ca8641bc8a6b6a735162742ff6b

                                            SHA1

                                            88a862fb69790a3b2c7d4135c67c0d04f7a3e194

                                            SHA256

                                            eda597fdb7bf361e4550b875972553987e0f4f4791d06244272b01cef075820e

                                            SHA512

                                            703072e4cfbc67da2062ffd90ebaf2e037643957e3242007830d21696ace32b0080e2efb04df55645f59b105dbc98ad30b1ccd76a4917fd12dde9517b644e781

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            83fb0c6199228c53d2c4642ca18bdd8f

                                            SHA1

                                            18911a03abdd2eb07f2c55bb518005467b93a2c3

                                            SHA256

                                            65f22e1671b8e659ec7a563b99b33e6c174f2e9379a908584fe6270290124387

                                            SHA512

                                            170fd9e0c2fabfee818bb08f451196e19969abadbde422e987286c0aca65c2a63c80478085842c9655847c78a115ac86a021ed6863b5c6a918c5f719f6610a00

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/744-257-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/760-197-0x0000000000AF0000-0x0000000000C00000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/792-675-0x00000000004B0000-0x00000000004C2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1600-60-0x0000000002220000-0x0000000002228000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1600-59-0x000000001B220000-0x000000001B502000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1968-317-0x0000000000220000-0x0000000000330000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2060-437-0x0000000000B50000-0x0000000000C60000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2508-138-0x0000000000830000-0x0000000000940000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2508-377-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2608-497-0x0000000001140000-0x0000000001250000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2852-16-0x0000000000670000-0x000000000067C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2852-15-0x0000000000660000-0x000000000066C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2852-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2852-13-0x00000000002A0000-0x00000000003B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2852-17-0x0000000000680000-0x000000000068C000-memory.dmp

                                            Filesize

                                            48KB