Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:20

General

  • Target

    JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe

  • Size

    1.3MB

  • MD5

    31403fb0bfc872db3d0fb82465ac7b37

  • SHA1

    835f58203c87fa254ce47bc88c81d5058ced9884

  • SHA256

    0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562

  • SHA512

    276807758cf0c8f3c8a2bf8fd31979b630c6aca6813580332bb5dd01cc31b3392ae7086f60ced3a2f67e347b4cf8cc7cd2a3d1854ede86ae79c34262230d6833

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2744
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2848
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1528
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\System.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1484
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2284
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2732
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1652
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tPRueI6iqX.bat"
              6⤵
                PID:2228
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2080
                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2288
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
                      8⤵
                        PID:3064
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1108
                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2400
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
                              10⤵
                                PID:2544
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2084
                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2740
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
                                      12⤵
                                        PID:2248
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2144
                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2368
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
                                              14⤵
                                                PID:2960
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1056
                                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2280
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
                                                      16⤵
                                                        PID:1680
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2628
                                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1372
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
                                                              18⤵
                                                                PID:2004
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:1700
                                                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2168
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
                                                                      20⤵
                                                                        PID:1160
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:1408
                                                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2396
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
                                                                              22⤵
                                                                                PID:908
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1708
                                                                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                                                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2184
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
                                                                                      24⤵
                                                                                        PID:1596
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:1564
                                                                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
                                                                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2560
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
                                                                                              26⤵
                                                                                                PID:2468
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:2656
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2608
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2724
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2640
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2600
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2660
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2108
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3064
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1832
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1892
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1408
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2408
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:776
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1688
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1800
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2320
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1708
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1564
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1368
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2940
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2812
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2208
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2168
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1044
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1308
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2632
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1676
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:788
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1892
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1732
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1720
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1440
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2156
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1284
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1680
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2780
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1868
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2168
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2880

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                5d6fd41eebfa4174203d7bd19ca6600b

                                                SHA1

                                                2f67af35c7e39198b46afb31d3c21c51f4ca014e

                                                SHA256

                                                13abd8d89ae7c8a105559ae698d46771257bd89c5bf01bd72d60ec400ccb044d

                                                SHA512

                                                3deea747cae4e8a02e29bcf110e4a59d046ab7b9083fd3fa4c16b036bb33f870c2356639fc56a2ad3ebcae4b1dddcfc838c90b4cfec725b56d34114fce2d8f3a

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                cae8fd11ae4e4274ca1aab23a683538c

                                                SHA1

                                                204dba8e4b94243eb8aa5d41ef5f0819ae8e8cfe

                                                SHA256

                                                26e20412b7d904aed106456d3e6acfffc5ea7b8347f39168624125e2ad031a3a

                                                SHA512

                                                3beda58f928dff6ed3ec058391cb4576c43ba491e0c7a9e7e145aaf2c21b08208add683d0629f0b532f81b59ff56a458b52bae5c30c267a9e4add4c1501d92fe

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                d52f6eab838c271d8193e18146f2c980

                                                SHA1

                                                48e136c3323a1e2932de16e59501eae66fb4b435

                                                SHA256

                                                ee08a9c1b135db6ecb7aedc6cbd2bf5fb59ca01d6a88930f90ddf20c675f7fd8

                                                SHA512

                                                3ca443d4897a1fdb933da5beaa43fe95bd26c119ced89d229404bffde6dabf48084390a3f2f6cef1ecfa547847ba9d7722ab237ebb9e9d57b676caf1cb46f73b

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                64532333906dafb01aaf69bfcdb9ae81

                                                SHA1

                                                e915c97d713606b8b27a841b1886a38334122be0

                                                SHA256

                                                2cb2eb28b11856f78599e6d32ee1cd20559ec4ecf2807dff7c251b012893f8fe

                                                SHA512

                                                0381e625b6e4c6cb30c37bfe5d880e7f94bcc3807cad32cef3a5b45b68883364882144b96cfec8271c21e4af7ebfbb1a2712eccf07188e0eca8974833ad76653

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                de8fed42977b4fb706b7c5ebc5df1a49

                                                SHA1

                                                c54b14d625b060b6f5b7097d31ca2453e0a06173

                                                SHA256

                                                73ca5f7c6f8308c1d9df6b61301c1f5e2783da0b247b17aac9820cef8d66bb56

                                                SHA512

                                                d849b5c8d0804705cabe731a7b0bee5bb50a0c03b2f2b67d3f0357955ab4ed4f00c4a88d318c7059eb2331181910c7703772d9e43198b0618d0b269f4fad50a2

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ec61c2ea17fcff8372fcc3bf4517d8a1

                                                SHA1

                                                85ca9bfb60f08a68b186c06c3cea37389035cff4

                                                SHA256

                                                fc7d5e972af7b31e5900a70a5b9f48046f7c324cd5efa5406d81e09ec2871273

                                                SHA512

                                                d05c930e3d68e15b7d7e4e62623f11d332a2d7eb45a93a98a022ef8c3d2a05b5b49ea95637fe674c4fad81050922fec3f8b1fccba60d88a7fd311ec93d0472e1

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                a475bcb43038c8b4e5e66ca3325547ce

                                                SHA1

                                                373ada6d9642435174026a7989bb48c46163670d

                                                SHA256

                                                8da22cb8e4c2f8f3d777d3ce8234f10381648ad8da8aaae38735096a3b6b01a9

                                                SHA512

                                                4f9975328f5de7d0aff45170dbe1b8982962857d875771018ea6119704e17d80a12748ea0c134b9de23ae610b5a8c802af8e3abe2e0aa5756d04a28e1934f706

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                865d5038aab439ea3964829088fb5f58

                                                SHA1

                                                3af7c6839a15b41a07bfd99a8646493119b5471f

                                                SHA256

                                                5ad549176af5374e79aefd03a8bb04db75317fc420dd01269cc7c275b1dc4d42

                                                SHA512

                                                aa41f710e8bdac3b739d8d266c8ce81ea846d71e2ff5e550ff7d30693f8cfe5a51d84c4c91c0e7c27dac4c57790da01a5cb42bf74b5236a9a6e1cddf457fe193

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                447661bb6f1c71f75591b7a0d9360ffe

                                                SHA1

                                                0ed169ef8c62f62302590de75eb00aaa20601a14

                                                SHA256

                                                af1086cfc5a7d483a31081d4098421635062b29dab26b9c75f1be5ae82dd7a7f

                                                SHA512

                                                1d948ae77fd7961810ae67ec4659a5654e3543c1db87ef95302a270e753dd8a21d2d7619cc6d3435743d216bfe2e7c2a21d602568dc00ff240fd2643c7c773f4

                                              • C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

                                                Filesize

                                                239B

                                                MD5

                                                c2ecbde4fd26e9318b9fddcc6039c863

                                                SHA1

                                                f68054b95950cbff22952b481839aeba93e8300e

                                                SHA256

                                                9950e266f58e8b59c1843891f1a861b5dfe74f7102f0d03c54335357d1fa3359

                                                SHA512

                                                016b02c3622ea1fcc88f1d91788270a2bce31b2c3cec3932e2fd832e4ef3af56c1de000303772b3cd52d5424a6feffd096c302d758b6f1679d30f22ac5a8028f

                                              • C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

                                                Filesize

                                                239B

                                                MD5

                                                fe01f819a58680f2d42e22e36a876911

                                                SHA1

                                                cec6691165835228328353c307606c15972977b3

                                                SHA256

                                                d9bee0f49f234a2bbc7c3f7c42dc3e73c17e31cde8ebc48ea6ab26baf4eac4ba

                                                SHA512

                                                42462ef14cfb6c8984b5258d548223b556587909060ee1bbec0621eeb3fe765ecaea52bdd1207932c7ab6bd59e27d218937b2467dbecd1b7709e5dccb91636ec

                                              • C:\Users\Admin\AppData\Local\Temp\Cab3D41.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

                                                Filesize

                                                239B

                                                MD5

                                                da724775e2fa98fc99bbf9f03006d9f3

                                                SHA1

                                                91160a017e25ac8988b0dfba49898f758bb859ed

                                                SHA256

                                                3c2f7c14104fe91468682de8bd55cbb5c49613a164577c88d02aeb68fc064164

                                                SHA512

                                                f438edba270631720d91d1c1faf01f66924261722d6d88af4fb4b8474e5dda61943078e9daacfcdd230d5415c51d4d82071bff53c04f61c0ae92a94e3d2972e2

                                              • C:\Users\Admin\AppData\Local\Temp\Tar3D63.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

                                                Filesize

                                                239B

                                                MD5

                                                e45c983dedab124e4f0e61929aa5ae61

                                                SHA1

                                                e788f8a5ae1d7fa0966b6b816b6a3d067af9d9d1

                                                SHA256

                                                32b7d2344bbedf19174a98dd0ddb787d48afe489c9bef2d45f36ecd62cc62059

                                                SHA512

                                                0437c97a04505aa28069cd81d0842b8322302b0d8f097acaf764e954ff0c5e641fa4c9681558a9d27c915ba2e594c36ec0357931037b1300697a68945ca8cf24

                                              • C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

                                                Filesize

                                                239B

                                                MD5

                                                4b20a99169dd8954c0b3bdaa12cbcca1

                                                SHA1

                                                a3757f3e91ea566bbbf1356e676133bfaf785d1d

                                                SHA256

                                                612fe5321ce0495271ce1de943dfa91a447b59fc6587e42d581a29ccf6a13b97

                                                SHA512

                                                60c6b4a899a58827471a11e88b68ecfa3b038ddafefd703e4917c69d42684c1655f4e541140492da6c1874562b4b86101831c398878fa248b1ddcee4161469a5

                                              • C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

                                                Filesize

                                                239B

                                                MD5

                                                74150b33e3ce3af925f126cd61cc0128

                                                SHA1

                                                d4e73d9cc58125f21c50af56cba1ac09e6fe03a1

                                                SHA256

                                                038ffa50dadd3d8f5feb6741ec5da39b04755737a0fabe6b386a808952756c3e

                                                SHA512

                                                b565a86762932424304f95c476c867ffa2c17ed1110183eb8bb8e3c18345e3288f403501710bb250a0bab71e4d0f5ec913f1cd02cb5c8e4154379ea700f8c3a0

                                              • C:\Users\Admin\AppData\Local\Temp\tPRueI6iqX.bat

                                                Filesize

                                                239B

                                                MD5

                                                8d3b13fa7f4930f41eef71f17aa33f13

                                                SHA1

                                                614334469f68e8418c6fcb3df22e1017fa86a082

                                                SHA256

                                                3ab7b5196727fe6618bb8d3c43ec9a5d4a31e69a40065e5644d2b18900937ff4

                                                SHA512

                                                cc48f06f4c2d8b4d2c4787ef7697405373f1524f77e806c43e7fdf27ac76cd759a475d3b5e3b3c6077db92193dfb0245957a64a8e838ae995e3983356064b41c

                                              • C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

                                                Filesize

                                                239B

                                                MD5

                                                25b7e8887e332ae3c3898929022babf5

                                                SHA1

                                                d9982ec19ed7be3c7780bd80d77bac6712f4fd85

                                                SHA256

                                                d4adbcd339c668bb48a08bc1cc89a262cd9b811b1317869129fc43102406a3c4

                                                SHA512

                                                a68f87cb8742d0641cf4625aad8ea6eb0d41e6305841fe75d1198e22736afed49dd816276c2c31fa984007f4b919ad1688dd9865ecd3babce96857ddafba99e7

                                              • C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

                                                Filesize

                                                239B

                                                MD5

                                                604bd767db3873c224001c1d914afd7c

                                                SHA1

                                                b7293fa825710624599f996fa98825ccb199d1f9

                                                SHA256

                                                eca0613ba10a981fb8601000aa23363b398aef9e0ecc1ee2f609a8c35855b3d0

                                                SHA512

                                                1cefb85ba12d6d76dc88872b9cc9a25c148e9ae34cebdc43bdf2e13af2e718e8184456418872c06d796a67eda1c072b57665649201e5f3aa6ff6cc986b0e371c

                                              • C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

                                                Filesize

                                                239B

                                                MD5

                                                b77d94a40c50fb5faac88f807f5aa012

                                                SHA1

                                                c416a7145218401be342d9f42d2dc3fb15efefba

                                                SHA256

                                                3afdf182529b0e511cdd5b501d94ca437c8eddf85cd07eeff6a7c252ad383250

                                                SHA512

                                                f70330d5dd9065ab348b7878e700b4f255deeba1eaaa14cfa4315fe0df2cccce34b7d47aed16263566f38208b926c4e3b6992991eab411c797574eaff7855c82

                                              • C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

                                                Filesize

                                                239B

                                                MD5

                                                a63a7a5d76c0e19beccfd768e98ed2b3

                                                SHA1

                                                eca12444131be8e48ab56fd72107edaaf21cc2bc

                                                SHA256

                                                706f0684d75f4b69139136512422654bf0142d82d0452bb34f478b8539bb42f7

                                                SHA512

                                                c03a926bf2461b1427685d3ac78d153126ba3d18c8f206ac954daf85314c9fa79089d12f664198e81fd2e466feeefec8234255abbf215f4f9816678fcc597712

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                c2e132cc138d4f92f7f694c9ce93f8d0

                                                SHA1

                                                577c6d6ee15a5553d3cace51f2af6dc5047f70aa

                                                SHA256

                                                1398bf1c5878de0fa73a8ba86ab1b87002b9bec2eb6d011f6320c6cd375b3978

                                                SHA512

                                                5ee7b16bb554a7afb3108fd193b0dd0c94857b73b556cf2059ad1cfdfa2969e88ba47b24cccc94ef081fc85bb4a2a69364ccef753cc289abb0afbe543abb0dee

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • \providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • memory/1372-439-0x00000000006F0000-0x0000000000702000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2168-499-0x0000000000110000-0x0000000000220000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2184-619-0x00000000003F0000-0x0000000000500000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2288-141-0x0000000000310000-0x0000000000420000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2396-559-0x0000000001110000-0x0000000001220000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2400-201-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2400-200-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2560-679-0x0000000000D10000-0x0000000000E20000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2692-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2692-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2692-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2692-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2692-17-0x0000000000C90000-0x0000000000C9C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2740-261-0x0000000000590000-0x00000000005A2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2796-73-0x000000001B640000-0x000000001B922000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2796-74-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2848-122-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2848-112-0x000000001B570000-0x000000001B852000-memory.dmp

                                                Filesize

                                                2.9MB