Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:54

General

  • Target

    JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe

  • Size

    1.3MB

  • MD5

    f3446523af2a49e5621b1a06770918ca

  • SHA1

    f6ddbdd63d112210ee5862d100ae43ed2dfc5a22

  • SHA256

    5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53

  • SHA512

    9e6cbc5de8863a8823c16166ae49f229168c1ba65e429addb6b629c58721aaf34ae3a1343724b7bab7d83856f6f2f92e9e7a17009d9c2c29d6c91dfcb5d36574

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2120
          • C:\providercommon\taskhost.exe
            "C:\providercommon\taskhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:964
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1984
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1636
                • C:\providercommon\taskhost.exe
                  "C:\providercommon\taskhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2796
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
                    8⤵
                      PID:3056
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2008
                        • C:\providercommon\taskhost.exe
                          "C:\providercommon\taskhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2136
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
                            10⤵
                              PID:1728
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2788
                                • C:\providercommon\taskhost.exe
                                  "C:\providercommon\taskhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1960
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
                                    12⤵
                                      PID:2080
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:832
                                        • C:\providercommon\taskhost.exe
                                          "C:\providercommon\taskhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1740
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
                                            14⤵
                                              PID:1836
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1604
                                                • C:\providercommon\taskhost.exe
                                                  "C:\providercommon\taskhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:340
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
                                                    16⤵
                                                      PID:2492
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:1944
                                                        • C:\providercommon\taskhost.exe
                                                          "C:\providercommon\taskhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2884
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
                                                            18⤵
                                                              PID:2652
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1744
                                                                • C:\providercommon\taskhost.exe
                                                                  "C:\providercommon\taskhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1772
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
                                                                    20⤵
                                                                      PID:1524
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1988
                                                                        • C:\providercommon\taskhost.exe
                                                                          "C:\providercommon\taskhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2804
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
                                                                            22⤵
                                                                              PID:1304
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2184
                                                                                • C:\providercommon\taskhost.exe
                                                                                  "C:\providercommon\taskhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1852
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
                                                                                    24⤵
                                                                                      PID:2660
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1956
                                                                                        • C:\providercommon\taskhost.exe
                                                                                          "C:\providercommon\taskhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:944
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
                                                                                            26⤵
                                                                                              PID:752
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:1288
                                                                                                • C:\providercommon\taskhost.exe
                                                                                                  "C:\providercommon\taskhost.exe"
                                                                                                  27⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2716
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1320
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2492
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2728
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2660
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2496
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2560
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2192
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2240
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1876
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:776
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2024
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2384
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:344
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\NetHood\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2400
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:340
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1284
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2472
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2788
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2320
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2180
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1264
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1712
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1724
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2132
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1896

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              fde1bc7472c8af568a31a180e3f26f8d

                                              SHA1

                                              9bb287e03e0b70a7c1d8765e9e17e4e6c51a0163

                                              SHA256

                                              e3bb2775262c3681fb91056f4ef82f460cc07a43ba2c026a9051d5e58b1bad09

                                              SHA512

                                              93733e0d13ccd0134e1742051ed88bbb042a680ee40c1e0680eea30ad43160d68fc847360d9f9290e7686a98975b11c75fd425cdece697fa31126f588608e4fa

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4ebc62374ee4606314a89f472dd603db

                                              SHA1

                                              a2b772d3402a5e1e8f208897ed0393417c6885fc

                                              SHA256

                                              df578e74b5a0d973765fc0ce6fba39e103b9085735b3c168ef37a939ebf83f01

                                              SHA512

                                              5591174ccf948d90498226a5110bfa0b05aba57d117ee0903c7a0823f895778f6c6e4587aa087ba24600df5632a33ccdbcb8b29e858ec27abdca593e5cf18a14

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              50abc29b6623409a13beffd12a0ec034

                                              SHA1

                                              72e4002ae472437882da13e39a072c824fa6eb4e

                                              SHA256

                                              d4812d37ee95334413fb5e5c7cc24597a35b1db64c3c13d814e3ef7123f5ca18

                                              SHA512

                                              7b9c1895ccc78cdb15d3edfe163f7419002c7a73d0a1d2a07f2ed8c281ca11ac57139e53862e87d916d1a4635675ab8e3e0d3ea204a15468e1a4fd6d3d5cbd86

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7bc7588c085e386c6bb13d4cb13eeffe

                                              SHA1

                                              3875981396283f68cfb2cab909cb6429f6bdea40

                                              SHA256

                                              b239ffc8c179387d9da778e1929b4eff9fc8b01de04ed37aaa7a678b249298e6

                                              SHA512

                                              b738d4ed7f85b27c9b2e68a6931e01c68edb0f9b7eca93fe16300183c4d1d92aa0a8bb44478358daa35379a6cedefffcd8147d64caf81eaa910a296d144d73a8

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              adc01c8729b0df5ed1cb03170d9726a9

                                              SHA1

                                              29a15c6ad8503fc41b2e110c16a75730395b1f0e

                                              SHA256

                                              85355fddcf75254ff49f80c2508376388665d7a256e1ae5603d4d0ed4dc0ea4e

                                              SHA512

                                              3223fef5163b83abb54e9fc5b3e8dfc43d57aa5dc68e862fbec3d546d2376ddc23f349e0b6ce58dab039055fe0a4e44364af8f77bd7a9014425cf37e1b277084

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8a74f984d01f879664991d5a7d99c8cb

                                              SHA1

                                              bedf5e0c3ef68861e1caf0750bddf2e1ae92bf99

                                              SHA256

                                              2286f143d8f671219204ced959107e4f90a4f215a3b872a21f8d10f60d8ed41a

                                              SHA512

                                              99ba486237de7aa20ef392652f2100908e41370b47af599611ca345b103a8107f86e964e20ae528151580b7150911495ebfa4aa0a0fe7ef32ba0c43ec38544d7

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              30174531d52c3b09101dad2c4aa19cd7

                                              SHA1

                                              637bc2fba02284c8838af2eb266615eee5d6e268

                                              SHA256

                                              b4cb9804dfcdaa9c1fb581c8b96c760724ba2ba83f081179715d49b14a011464

                                              SHA512

                                              cd93ad0cd0e116a3f9a2d8924f9af69ed06b64388571771624a5da368b9c4f2a30611ada8715a6ce3b862ccf1a2b828664ff3b7c865b4c8cfab75ad71f49947d

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1554e265694c585d28a5f93b188b1996

                                              SHA1

                                              228b9610366e227f57930ea318378de72fe376b7

                                              SHA256

                                              4764c0f9d6f0fcbd58ab9a4bf8506d90720910ce6da88ac9ad3145f7e5361ca5

                                              SHA512

                                              a675443fc3017a154ce6a526ed4a264150ac5afdf20a9e4fe62f43a9709986103eb98201f0e0b9bedcd057c562abef07166ad786a1982554ff10a393eaa223c7

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              46017fcb1a51951ce6a93e44c6cca1ce

                                              SHA1

                                              5ba69ea3b27fa1e2a3feee2945aa57a33344cb46

                                              SHA256

                                              483e1a2a3f4ff2454c20be4a5c826d56de84f600d43e5520c273053b20273a63

                                              SHA512

                                              10472bd0c76dfdc4bb1ab0ee0bab1f218667724ba3897595d49c245c3565bb683abe050a5c5a04723250fc56f0c851d4f0369493e0eb9f2d4d6549a6f896dc78

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3457a3de038520ab8e6a29e9f4ef5e5c

                                              SHA1

                                              deb6ad043464ca5da61666490081187f3115186c

                                              SHA256

                                              99b17547b5eef967da6893f3115abba2ff7905f34380c36c10180ac752d02acc

                                              SHA512

                                              658ea2648fd0e451a2a340061dae45d3a414f1196cb570b108b9de66715c3e3aec184b606381819c73aa2bfd388a06c401c0a8f909d8624a0afa495f60bce129

                                            • C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

                                              Filesize

                                              195B

                                              MD5

                                              052736281b419900fddc217b6b0673dd

                                              SHA1

                                              b735b6c3c0b9c2ebf427a04bad11efe45901a4d8

                                              SHA256

                                              524fa20f1944e4806851e4cfc7cf6d2affa22db742790bc51e277ce79dcd96c1

                                              SHA512

                                              2978369de9c5512246b1d9f4c083377b2bf6e538c685308dd0299009249b627c589947d5a666405531155318cc5a3bf06e540e139ed1314f222bdcdd9f0c3e80

                                            • C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

                                              Filesize

                                              195B

                                              MD5

                                              8a92c5528c181cc122f61ae6f590c068

                                              SHA1

                                              2e113289b5c10f769ce9cdf6fca4070881bc3cf4

                                              SHA256

                                              11e58533a98133124bb71ab2539ed7d9215a4d452b348d699a69c322f281343a

                                              SHA512

                                              15f5d3bcc3151edc5fd11878ed29e2e4d725dbe2d1c580ddfe928ce0f0b53787850277a2b15534421df66b3a7094743c45d0d68c4457f04528c1b2c585e446ad

                                            • C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

                                              Filesize

                                              195B

                                              MD5

                                              97a510467b3e01a9c250c93f2f1f012b

                                              SHA1

                                              7605e23c333097fa6b7b7c0c7d2c1ccabc92b7b5

                                              SHA256

                                              fca246de1f93bcc4325d0290e01ee61c913e1b1c382ecea5d93ecf2c3838286e

                                              SHA512

                                              292202ce203b1579c3398206d95f4ad6e53f439e8656727601ff9d52d37a8852cffe5dcb13efea35366c228a0769c25ef722e5adc16a65eb0c9a4238d2998b9b

                                            • C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

                                              Filesize

                                              195B

                                              MD5

                                              37fd270fd472f772e55679418d14d6d5

                                              SHA1

                                              3e1d85c598058b5f1b0547fcaa68974b6598b9b1

                                              SHA256

                                              64d13525a44a29b4233e8d9bfc4ff85832353788194684e80a1e7b5963e135fc

                                              SHA512

                                              ba64d6dd75b75651cb32fde2d9e13a5c2171a7850edcdededd3e3bb975b94c8c64818f69b71497f0a62fad5bb103de85abee5074682ed457436ddca293476aac

                                            • C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

                                              Filesize

                                              195B

                                              MD5

                                              c4ab2162e245b357371dde590df7c2cb

                                              SHA1

                                              3a3a3593f197bd25700169bf4c83b9d2f1c7038c

                                              SHA256

                                              ceee8945353f6b7df946732e2da2beb1d86895a8943a25ea1924f7c3c91f7305

                                              SHA512

                                              a456e0c356ccb88698c322160bc96c8d263b52b4d56b35fd3c149498a49b9ef8ec33de6a5e12d31ad313899a63eb7aba39e22ef7201c41e6d66ecd8eecf0a35a

                                            • C:\Users\Admin\AppData\Local\Temp\CabD107.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

                                              Filesize

                                              195B

                                              MD5

                                              4c13b4953acf3b9fbb8bdc3670687afd

                                              SHA1

                                              72b17ef87b0e6ec6ed22983e0a9337a7d73cb161

                                              SHA256

                                              8c51455a33b9fdd0ef0714f9a97214238aeb82a587e9a8d9925b5039313e6493

                                              SHA512

                                              874aec9a9f0499846ef34976d91d4804f0d46dd967135f44970bcfb74769faee1732c606bf397e7f6b3a3c1f80d6d0c2381dde1a9b9c30649be741a58035da7b

                                            • C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

                                              Filesize

                                              195B

                                              MD5

                                              0b9603414364f421a84f1d5142d6d966

                                              SHA1

                                              b35474f09bdf9afdbb1c6acec4070e425ce11cf7

                                              SHA256

                                              775ea5a50fa0c10ff341746fc8ddcb4e8a59749688350b9aed0f6978c5392bb2

                                              SHA512

                                              33aa22327cf27930c16406265a4ac73c9773919ddebc2f14121818b1819d096b10ed0ad742608728966a86398febdd03983fb0d8e39d82c89acf77fdf00d8ecb

                                            • C:\Users\Admin\AppData\Local\Temp\TarD148.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

                                              Filesize

                                              195B

                                              MD5

                                              912a8949626f5b57883fd07f9598743b

                                              SHA1

                                              31e06a0cbf3a5dedc5430ad4db13596df4a9d35c

                                              SHA256

                                              052809f190bfe381dbd8c9f357d04ec4add052588a03249d21ae66ed39a1c6a1

                                              SHA512

                                              63d7c1d337af5cfcac0d0551ab313bb65277d9879bd9af3a7e5f9ed80ddb5a43f5466621366fbddc39fa1ee8d58834e046ee0ea18e67028227e71cfddb2b2557

                                            • C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

                                              Filesize

                                              195B

                                              MD5

                                              26b01b2d469efacfe25c2398138944c2

                                              SHA1

                                              5d879798d949444c715b515f9b6b914b69b5b8a7

                                              SHA256

                                              683deefee41b211137bac34264f274935aee1393d0e384284ead2216115f14f8

                                              SHA512

                                              eb4b7de9861a44c018f03986f801c0d65f177b631b63b9886681ca1694b7f31ff1962ea85d4c917d30db91637c3bf0dbbf43f2196fd9a021fdbe2c4ab4223345

                                            • C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

                                              Filesize

                                              195B

                                              MD5

                                              2d0635dd6503b0e796dd987b499e7d72

                                              SHA1

                                              6b4a6af678c1c2a7c5464a0a601f5e9c90a397d1

                                              SHA256

                                              5bec373a0d666b9a45221bf28af02945fd096c32d92b2e4936724757fade133c

                                              SHA512

                                              543f788c4809b81bd6ecaa29af5a178b5552320a46583c38753d0e0aab48b849cb107b8daab1d6cab909184db30581cbbe8a49a822a0ce13705c309b50b984a0

                                            • C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

                                              Filesize

                                              195B

                                              MD5

                                              fd1d91e4a229e99b06ce46a2a5165537

                                              SHA1

                                              4407b7687d2a9968300d2b0a2550b94171f21844

                                              SHA256

                                              18f38249427e09106924f197ab08a3fd2f9c66315b04a236f2df5f1fecc53da2

                                              SHA512

                                              5009df4b1dc0e0825cfa7019c7380014b19df0af4ee8380cf48b00279b40cd405811b4f163e5dc11653fa5a2bc618e71df223fd161c4d2bd42e934e292d6627d

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              a71ca6a81616ca081e15211c85670cc7

                                              SHA1

                                              33c2287633970c496a165aac45b6c754da2d1853

                                              SHA256

                                              017ba4f02e14d6d554ce280b0729edbe29d87ab070017155579121ac6354c272

                                              SHA512

                                              0586d185cf32ac4c49bfaf5eb6589f70beadc4d796ef6dfd9f7b8a9670f3e9eda2b8bea394be29ffc935b738723a98faed16e4b02d45daedb75ad5766358aecd

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/944-719-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/964-52-0x0000000001150000-0x0000000001260000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1276-106-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1684-75-0x0000000002660000-0x0000000002668000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1772-539-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1852-659-0x0000000000230000-0x0000000000340000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2108-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2108-15-0x0000000000470000-0x000000000047C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2108-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2108-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2108-17-0x0000000000480000-0x000000000048C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2716-779-0x0000000001180000-0x0000000001290000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2804-599-0x0000000000630000-0x0000000000642000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2884-479-0x0000000001290000-0x00000000013A0000-memory.dmp

                                              Filesize

                                              1.1MB