Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:29

General

  • Target

    JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe

  • Size

    1.3MB

  • MD5

    4298eea3dfafc5e3e37cd4390fb07f2c

  • SHA1

    d0f424c253ef02a00d840a560904adf62aeb2a34

  • SHA256

    bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5

  • SHA512

    25ab9031c4dba529b4da57687b1c020de7ebec4707b1be3bc903b16d1ffc31003066eb26142bec6527ac8571a721711859d15e3c0b7068e7ac61524ffc822103

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Program Files\Windows Defender\en-US\csrss.exe
            "C:\Program Files\Windows Defender\en-US\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
              6⤵
                PID:2092
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2120
                  • C:\Program Files\Windows Defender\en-US\csrss.exe
                    "C:\Program Files\Windows Defender\en-US\csrss.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2268
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
                      8⤵
                        PID:2752
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2304
                          • C:\Program Files\Windows Defender\en-US\csrss.exe
                            "C:\Program Files\Windows Defender\en-US\csrss.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1972
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
                              10⤵
                                PID:2448
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2224
                                  • C:\Program Files\Windows Defender\en-US\csrss.exe
                                    "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2104
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
                                      12⤵
                                        PID:2776
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:3032
                                          • C:\Program Files\Windows Defender\en-US\csrss.exe
                                            "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2732
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
                                              14⤵
                                                PID:2464
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2644
                                                  • C:\Program Files\Windows Defender\en-US\csrss.exe
                                                    "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2468
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
                                                      16⤵
                                                        PID:2460
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1992
                                                          • C:\Program Files\Windows Defender\en-US\csrss.exe
                                                            "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2448
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
                                                              18⤵
                                                                PID:572
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2712
                                                                  • C:\Program Files\Windows Defender\en-US\csrss.exe
                                                                    "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2968
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
                                                                      20⤵
                                                                        PID:2236
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:636
                                                                          • C:\Program Files\Windows Defender\en-US\csrss.exe
                                                                            "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2920
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
                                                                              22⤵
                                                                                PID:2804
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1736
                                                                                  • C:\Program Files\Windows Defender\en-US\csrss.exe
                                                                                    "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1388
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
                                                                                      24⤵
                                                                                        PID:2216
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:1792
                                                                                          • C:\Program Files\Windows Defender\en-US\csrss.exe
                                                                                            "C:\Program Files\Windows Defender\en-US\csrss.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\system\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3008
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1956
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1084
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:600
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2016
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1368
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2072
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:768
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2260
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2332
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1352
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2184
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2224
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1892
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2188

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            68bb4080d9aa472cb7a253e17f59e507

                                            SHA1

                                            d31cd125f0e946e1c442383be2e25e8a4017bf03

                                            SHA256

                                            e15061bf875002f0cab8419ea52124919ea476b2dfb9392562f2ee913fef568e

                                            SHA512

                                            983c30bc83f66240aa631c03d82880c62e845d042f4b46f77c82c1d2f93aeace03cafeb83bb6b98dfe91610e96819af3acf70a56b807cd96911f92d4a7431865

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e600fe35e5e0937ead6d9cedcee6a610

                                            SHA1

                                            d0e1cab56a243471bd973ed7b70546b98cf5f421

                                            SHA256

                                            18675959d58f1d6209b87de43bfbdba6025f2c6f1c561c14d109fbdce7a2594e

                                            SHA512

                                            51e53e8dbbbf7ca3deab88ed2f66ede42d8d3e1fd311e9f545b966d9c65afd9ffa187f4b793df17a853ec830d58c3266e6c62f1534db3203d97123eac5e99413

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            028633b84f5e9ac2662da348edd40228

                                            SHA1

                                            a4811878c2bd34d99fe13e4f6bc522736cf73fa2

                                            SHA256

                                            1a56cba8b874c346e77c7f18097cfa90e2d004cda81e976da850932aea38e9d0

                                            SHA512

                                            d60243721a7b6934431ece3e9179f3984eae952197c61d45fdf9ff9073a30fd85fdb76e63428b54a6c333b8c64740c7106d363ad4e84569e1d3330f6ffeba544

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e9a3961ef7965bbaa31a1199ba713b7b

                                            SHA1

                                            1d78328878ee2e5ddd9129f7f93c3c0f5344d7fe

                                            SHA256

                                            1e0cd8207dfaebbc0cb996acbd917a89de3501dffe6bdbffc1a7b58ffcd2b99c

                                            SHA512

                                            8c96045aa5e5be0620fcaf9a1fb5594ce451465c6d26fcd9fe51ef64db6da9c730f25a5ac185bf1ef1d34819ff65999f4fce9c5d23285bd87d3bd43146c4992e

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            47712fd9023c64130a8a8140a06347a5

                                            SHA1

                                            3e4b65d90b07acf802870740a55fde3434e1d5b2

                                            SHA256

                                            e3a6e8fd369a7c7ea84827689953f416eeddecfe060bcd414f7a75593271fc15

                                            SHA512

                                            1f9015a21160542c9e299f50d42d1859eec49d97e65f6817a52d97af7ef2c11c425eb5e6303f2e989782f8e4de0e2076dba516bcd4c4f276d12f00d9df7fe4e8

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            200663a3adacf03a3becaeac06c50ece

                                            SHA1

                                            5b17cc16fcc868ee90aa275f28723dddf26c8d8a

                                            SHA256

                                            16f53e7a01b87a1db4bbb20d41bc62c3a0326da8b859be7e8743262ccb0f5140

                                            SHA512

                                            c8542dde69a4202e57d06f01c0f80e66975f053564e954d095b24030f7340035469eaa1ee7f04f3d24b2e23fc12c5608d8a303e427220d71d8f34353230167e0

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5ba2e332566ead3c6475a81c570eb605

                                            SHA1

                                            c9884fc2ae1c04606f2753269c48c029a2d6fc83

                                            SHA256

                                            a6bdd15c7107d21a9d7c6845de258381d3ca54eb7df9ace9745e547339a75211

                                            SHA512

                                            9e5f8fb9300ebf90a2df2473e02e45213defc745cd1c6eb3f90c020094708efe5d0ef86d86adf056a0a2da093b33093f336ea4ddce54d9757e02ccb276bde499

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            6d3557f648358cc79ad25a00df92631a

                                            SHA1

                                            818efdb6ccc16b2a36f5d7ae4ceb2124adf5d1db

                                            SHA256

                                            338cc94aec7b28b3e9366d75e5b0620248fa1a9566fc04164e62bc4ef84c8e13

                                            SHA512

                                            a84de6b6415eb2827342a6b302f18e766f55d48b9c0cb51e2ef6983ac886734e934f03478eca3dccb347c1c1c8dc20d1fd69a3d171edc14ece20649d31575c90

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            844f14970e7ae900215a1363c9a1bf5d

                                            SHA1

                                            3905f37f9a424c9e722f32ce4330e4c4c79d794f

                                            SHA256

                                            d14df65f6eaaf6581903c78531a42549052b4ed7ec6fa687e90822610b202ca0

                                            SHA512

                                            d19b3a4808017597fc02d4ae7b39cbbefc8cb196cf445126182e48ae266b736005529a0c2117aa2fd79d3d7d3d63d74fb183287c068c8fa49474bb4905da26c6

                                          • C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

                                            Filesize

                                            214B

                                            MD5

                                            2efccd115665f974d26820fa6af188e4

                                            SHA1

                                            317f0c27514aa84f24ad90d91527073dfd2c7394

                                            SHA256

                                            cd9dcd1bfed979aafbbcff6021a9edadb0f7edd044d67626b6fd71d002f80f63

                                            SHA512

                                            ddc184702ff5ad3b395f5bbce8ed4b8192c1760509345115f43e3f796cc5c56604e53ebfc5dd1e39115d0a657f84606b708d2ab6658df28b46e0148a09339f29

                                          • C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat

                                            Filesize

                                            214B

                                            MD5

                                            73a36471fa4e44c4b3429d93d5bda43f

                                            SHA1

                                            5a2ddd0eb0e35e327f144575dbd6899ee47e29c8

                                            SHA256

                                            679f0fdeb8919d42ab005ba0e1ac5597a4b0eaf099615f9e7668a452a9697e89

                                            SHA512

                                            1afdb6745b79c861193ebfc0bad113af75fdc48d25c388fd18c1595e36a966dd494877ba97f713c666af7e8c1e2c543ae84eded7da582bd86527fcd1945a1cce

                                          • C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

                                            Filesize

                                            214B

                                            MD5

                                            7c0cd8e85278f6cd3460132e9412d72a

                                            SHA1

                                            2be136364354cf9aa34a92eced1f05ea42801c81

                                            SHA256

                                            48c3d0d087560cb19f6ac03f85e87e875e8408e4219c47b1447b379001ef714c

                                            SHA512

                                            50c7bbc71396b43c4e9d90dc1242520b6f2cd4134e4d4b55a733173df52fc3a58887d9a8da4ab4447e21b9271fecb9a3e60abce934d033f184f24c53c3a95541

                                          • C:\Users\Admin\AppData\Local\Temp\CabC5B1.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

                                            Filesize

                                            214B

                                            MD5

                                            d671aec20d49c660f8d2c2517054a835

                                            SHA1

                                            f6cccf0025b0b9e1d0e35ea88f805422cd6c9051

                                            SHA256

                                            b0bb7fb98a204f1a7e9c805662bf81ea04395830bfecf722e688581736617078

                                            SHA512

                                            f719aa9c1507f42bd59276cb96f06f8d5af265a68f4fcffbdb13b62b3bd7265c49dbf273280e4201c498cc54b31766497ef2c56026fa0417001d486d5c42c5f8

                                          • C:\Users\Admin\AppData\Local\Temp\TarC602.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

                                            Filesize

                                            214B

                                            MD5

                                            c32b8dd5fbb765dc4c9dcead13f65fea

                                            SHA1

                                            de2657bf33dbed531eb6ac059d6755e418bba5a3

                                            SHA256

                                            b876cbdbae28b9a6371e919b0b6b250202c031c49023fece5b7bbf2f8ccbbc75

                                            SHA512

                                            668425c4d4f735314d517bf0e4a811bdfd3e55203d7b442f3964d1b53ff0e7b9087a6a2957769d0f0c314e2f9040b4f9fb79a0b895188a9cc20cfd79bead92b5

                                          • C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

                                            Filesize

                                            214B

                                            MD5

                                            4c2fbeb28e452f04c6dd018557d1618d

                                            SHA1

                                            5ac0c94985ac0f79695888ba8354e8f894ebf922

                                            SHA256

                                            478872d3d1011adde8d4470c0e5083350a6cfd05581c77580ee1d147985b2f3b

                                            SHA512

                                            54e01c1013d6a1ad52f1e356a67ed223ff3821a16e42d9ffbb593df893c4fc5d57c081c8c6c1b2d11e53d3ecc644d05a8127b2c2500f30c9b98e7f7a5458b1a5

                                          • C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

                                            Filesize

                                            214B

                                            MD5

                                            b913c403b4784d2829c5ed5a2d44b57b

                                            SHA1

                                            be43ae140ded3f0123c8e0e3423e30cb2df2ad4a

                                            SHA256

                                            c7783b9c171c05666496914634fe83b940709307e63410de388cc0ee3a149ebf

                                            SHA512

                                            42158b75b02890611c4c88c22b968e043c07d1dceb014fc4fefdd25ab455a6814aa93080c3c0dfbf8a8e20546ab8b119d7e247d8233184aebf27f5c2845380aa

                                          • C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

                                            Filesize

                                            214B

                                            MD5

                                            ca78d3a8b6ec12bd847db4109e8f9cd4

                                            SHA1

                                            74a8f75c920fa7eaa05bad45bc5cb07f0073482e

                                            SHA256

                                            1fdb3b29e2d34aaae624564536a6089d71ac4e2c98e9415257db4cc21b72b3be

                                            SHA512

                                            aa8ba9d1215bee45831a2adad4767778861c6e457bdcf5ffc40df7487a7a3043269efbf57082fbcdb22038f6894aee4fb82338adc4e1c364e39bbf9853c1f5cb

                                          • C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

                                            Filesize

                                            214B

                                            MD5

                                            b9abe7d7e5b0a8585f75ff488c0af4c5

                                            SHA1

                                            02154fddbcd19b4f718164e7d5df1f7297ad5fd3

                                            SHA256

                                            d8cc7e33aade95d59fd8b988d1cdc730bb3545f7a1ee164eb81e7b20713311cb

                                            SHA512

                                            732a74fe1dcb907519636138a6c6b691024a58e17e18eac15b132d7a8949a43a6ed08a61bfa24931d161cd34cba0ff429adbf23fce4c8fba58938cc9a35eef41

                                          • C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

                                            Filesize

                                            214B

                                            MD5

                                            4facec3f8828d24144b7cbbcb740e4a7

                                            SHA1

                                            29555b46a3ca96e38907ef062a51c54208be3dcc

                                            SHA256

                                            3f1a2e62a93531dd92f3a4061ed312447903a895adfca57bd96f3e2343d0f982

                                            SHA512

                                            bf2233fe113f7727b40543fb7335b72d5d0268c831df4f0affa2ee7b729171494389f8d9fcbd7f26410b4887ec7d16ba1f11986638a21be87dc8a5e12246308e

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            77776f3a1a95e12817eddaf3b7d44151

                                            SHA1

                                            2176c291828e9087334fc78b9274a608af31fb27

                                            SHA256

                                            b5bf77d971241bf0fc45a11253ee458ba1f662b6b548e1f11e74a50eabf5eaff

                                            SHA512

                                            fc72ebbdf50f4f032852e3d96d9b7549a4efec918aabdd3e9f2e4b950e33513f470a4b5b2fd007268e2aad5641082e5dd2cdf692a546fc53c8be009eb21e014d

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/1388-675-0x00000000002A0000-0x00000000003B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1972-254-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1996-17-0x0000000000560000-0x000000000056C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1996-16-0x0000000000550000-0x000000000055C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1996-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1996-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1996-13-0x0000000000900000-0x0000000000A10000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2032-735-0x0000000001270000-0x0000000001380000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2268-194-0x0000000000970000-0x0000000000A80000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2448-494-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2468-434-0x0000000000040000-0x0000000000150000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2676-75-0x000000001B590000-0x000000001B872000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2676-81-0x00000000027F0000-0x00000000027F8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2708-54-0x0000000000850000-0x0000000000960000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2732-374-0x0000000000240000-0x0000000000252000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2732-373-0x00000000011E0000-0x00000000012F0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2920-615-0x00000000000C0000-0x00000000001D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2968-555-0x0000000000440000-0x0000000000452000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2968-554-0x0000000001330000-0x0000000001440000-memory.dmp

                                            Filesize

                                            1.1MB