Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:44

General

  • Target

    JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe

  • Size

    1.3MB

  • MD5

    39fd0409d80bfee512ce370d464fe7a6

  • SHA1

    c69afc0bfb0f595ed63fc93db2d51ffb0fb53244

  • SHA256

    e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953

  • SHA512

    b18e351ce75720ce5c3a7575cff068eb7069852dfd2ba309cb594e37f2f88da07b97cf2bb7c06f51266050f124004c3a0f9ef1df541a42e624592549f1be5af8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otf5C6o01g.bat"
            5⤵
              PID:1788
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1140
                • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
                    7⤵
                      PID:2328
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:2772
                        • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                          "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                          8⤵
                          • Executes dropped EXE
                          PID:2292
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
                            9⤵
                              PID:2776
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2120
                                • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:320
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
                                    11⤵
                                      PID:2648
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2836
                                        • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                          "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2844
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
                                            13⤵
                                              PID:2972
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:444
                                                • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                                  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2360
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
                                                    15⤵
                                                      PID:1720
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2800
                                                        • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                                          "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2776
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"
                                                            17⤵
                                                              PID:3032
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2836
                                                                • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                                                  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1640
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
                                                                    19⤵
                                                                      PID:2028
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:1272
                                                                        • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                                                          "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1112
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
                                                                            21⤵
                                                                              PID:1408
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:708
                                                                                • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                                                                  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1940
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
                                                                                    23⤵
                                                                                      PID:2560
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:1628
                                                                                        • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
                                                                                          "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1760
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2656
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2684
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2700
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2008
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:992
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1244
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2028
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2352
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2140
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:556
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2112
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2348
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1096
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2192
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1356
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2356
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1864
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2224
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:380
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2612
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2188
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2420
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2796

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7e2375616e2ae684bf96dc09b84c020d

                                            SHA1

                                            d375f1b0a22aaa9127cbdbea6c3f3febb78db72c

                                            SHA256

                                            471bc7a1cc886905c952128dd403b5fa606f98d6f1f919a0a4916ff2063bf384

                                            SHA512

                                            0560a688d6047ccd7c85cc131662cee2ad4438cce406cf9e84c24cdbd2c01dec9ca7befe8eb410d28aa8c9daa268943e9c13fc4507d9bef866dd1fc4ba492af7

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            38e282edd0de8ad0c56111782f965929

                                            SHA1

                                            f8ce931842f3e7d34a8776a08fe7bc2479c8ad0e

                                            SHA256

                                            e19d39f6c6fb9bb0d44931a07997c7f9f32eaeffa4fd0956576fe4c5c4fb03cb

                                            SHA512

                                            7b5b014a27e5e2aef85814a638016bed086e02bd6b8d280fa8b7952848839241692b55a0d009789b9cb2869582305b4afb61fbad9f6bac823844caa515486a0e

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            f855bd6df407f493e7a1287a1552e838

                                            SHA1

                                            2470ef5e7c4d277ef2c1dde0a60302abf2a916d5

                                            SHA256

                                            6755d659bb6856ddb67cc9d5dffd6988cc1fd84b574fd12428422f36b218ece7

                                            SHA512

                                            095121e6dc7f4000b1cdbb6c5c548e506eee37e7db163619ca84ecd41ebb73112644f490761bd2832031724ba8f8dae507f3db82dc0c4e9ae0341064bad15bc5

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            c8e34afe8fae8f14eccf08c783cf8383

                                            SHA1

                                            8c5da323797d7029878549178acba4e324d60458

                                            SHA256

                                            4cbac88d385bf7ead1dcba94077015b038a9d8c1c3b8b7f70e5d6ea9f1a8613a

                                            SHA512

                                            09463bcf7fab5524c9be143c765d6e31df19fe92920620e366cc23525d5f9c604a0e4f8b6e4ad442beddaa148b222f50aa8dd1202668cc6598f80e93f32b4244

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5f2bd19fe58f9d846a81b00aaaa92cea

                                            SHA1

                                            4be2cc9282070b3287f9d79cd9143ab0bd6fc442

                                            SHA256

                                            e6be8d29e1903e7cd794415249d4a176fd68f0d56a2bf275a5f0d591205d0dfe

                                            SHA512

                                            73b26f2d036c3f6c738ad666916c97cea9e69f389e60e36c20cf79df200b5804d52aaab1d7f894ea076cb3637eacde1e1ff10e4e2738f3d05e795456f2265824

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            70f8854550d676da6cb6a0106fc64f6b

                                            SHA1

                                            e43b1fb642c482cede6752274183b7db70dc4f7f

                                            SHA256

                                            281f886112fd32e7c77abcff8a8d133dc5f95d9f2234d95118af730545be6b56

                                            SHA512

                                            a8aa5d10575303b858fde8918622baadebde709a8ad104cbfa63c713baf57f75b08e81f1b50de67872396aeead1ccfb41d0adbcd8654561c41c695f6bdc553c2

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5d97cfe7b4842335fe53e3ec4438caf8

                                            SHA1

                                            642e27c2f148df058efb7bb9418dbb2d107814cd

                                            SHA256

                                            34b424403a21ee3a02fcbb706a058a6b31ac203bdb8adf8e15fc46bbefd3ecda

                                            SHA512

                                            5674358d2b10af94a754c975f5ec8404f9336daca77aa2183f8a32136e0a29c11959cfe40d7307979f5e9fd15c7acd4f0ae0c90fc89baeb0271b6297c1b7a0e1

                                          • C:\Users\Admin\AppData\Local\Temp\CabA40.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

                                            Filesize

                                            225B

                                            MD5

                                            bb9ecef042a2c77ead7801dbc5922dfe

                                            SHA1

                                            0f65bf4346a66591b18dbabf3f2e1814370cf52a

                                            SHA256

                                            62e3d9497284cc6d25b42bbc65338fdab3da26d1d19b907ea09c3eb3bbfc32e8

                                            SHA512

                                            8b29ae751c6603f2bde359675358938d640215c89b02ea269683f5170baf394fdcfdb5e74e8112086b3d7a27f2f6bec7002f35d2746bcb22b4d2eb9dbe8e9500

                                          • C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

                                            Filesize

                                            225B

                                            MD5

                                            0b2e370c8e8b97048d6b19363f1ef3e6

                                            SHA1

                                            6198d400cf357d1ecae54fb325fe345a6fcabdf6

                                            SHA256

                                            d56a647b7c91f537604f39faf83d2f8f69f53acc3f4005cb1e512372af69f2e6

                                            SHA512

                                            d83a427b54f8c78d516e82d99e2e8f88fe42053cf8a5727c08fb4970ee5a0edd4a5a363aeb6ed242c87574f8010cf36f490da6451d4df85b037774b1e05a759b

                                          • C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat

                                            Filesize

                                            225B

                                            MD5

                                            fef8269fd76d2451897f900a48efd6be

                                            SHA1

                                            92632e3970eff60ad056f32e5373e0f7447925df

                                            SHA256

                                            247f0302b8cbbfb366d3d7f872537546a06f540114fb3432613404f10ee7cc57

                                            SHA512

                                            f3f93cc28fc3e673a4aeb109701bc2f94ff8e0c70f5aa72fa95d03842239ec543d22a5bc803e11f9c5d659fdb1e1e8ec799e0f0510b24e94c0e4afb38f65d39c

                                          • C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

                                            Filesize

                                            225B

                                            MD5

                                            5830903b5b8f8f86ac7f12a5a8dae1d7

                                            SHA1

                                            8f4c389e62bbc965327e187e6195564e3c01feb1

                                            SHA256

                                            197bab1703991e806699099e20a53184cc9c471e6e291998807f412f1d8d6ade

                                            SHA512

                                            4dfa7b61244e7c7a9f8a01fda9d3ff202acd4630f3bffb23829cf7533f5d12f102b4a20d69b230b793687e0841020eadf56c9a34be787d452e60b422d849007a

                                          • C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

                                            Filesize

                                            225B

                                            MD5

                                            3757e75e1d6cd28b198177eac340480a

                                            SHA1

                                            9b1e1934a713b959748ee2027f45192094715fd6

                                            SHA256

                                            f1f67ffe95bd20b25044c188da89ce9610397e9c074697f740f84e24a0cea2fd

                                            SHA512

                                            dcb1d2eeeb947e3c1b9c96b7cda0c2d3bceb24f7c08635cce6061a3e71047b4e789fefca12642644d9d292ce97a939ef67e4274490f99e4b71b73086b407640b

                                          • C:\Users\Admin\AppData\Local\Temp\TarA62.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

                                            Filesize

                                            225B

                                            MD5

                                            5ed711489c744478613e57527f4f1361

                                            SHA1

                                            80c9d42aacde1ca17314fbc5bcee92f56dce5dca

                                            SHA256

                                            5833240ed4757924c7461a3633fc57ebc87c2c277fd2f6af795d8043e4bec3e4

                                            SHA512

                                            867647a9592925229c6e133c852794575bef59b68804f4a1be2662209706dab069d95053dbc44b4b57b4234af0e6832e6e7ddc2e77b9cc10a5f92fa59221f269

                                          • C:\Users\Admin\AppData\Local\Temp\otf5C6o01g.bat

                                            Filesize

                                            225B

                                            MD5

                                            557bcd1919e2b9015458e346fc2f7858

                                            SHA1

                                            afb77d15ddb0644c681b917c3a426e8f97bae118

                                            SHA256

                                            bcc79bac00aeff50c46e4eba7cf5d364a8190fd028269f7d4c87fab042854637

                                            SHA512

                                            d0c01fc0dee38f5be80be60a68feb341b13b1328cb4f4590b1d999fc01aafc0f670be4178a9416f8d9894288e75b70b49a81a6dcf5efb913888e76d0ec4ed0e5

                                          • C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

                                            Filesize

                                            225B

                                            MD5

                                            c7be5972678383d0941f337f2ffd8ea7

                                            SHA1

                                            bd7c1b3d2f6b8d9849ba738de336110b9524e2b2

                                            SHA256

                                            544935099e4bc19baae7c7922514ac9ca60cec3761f86ccb583cb93bd2c4e227

                                            SHA512

                                            5e6da6abf29da1def96b17df3f4b41ded8dd3528317060349cb5b1f9f3b3735642ac375c4e56a69becdaf61b895b638194b342241f75082b6860b008c13b40d2

                                          • C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

                                            Filesize

                                            225B

                                            MD5

                                            81bb8d68245190cb1ca36bd041308c9c

                                            SHA1

                                            e3eaaaaace6a4993b32652b35af6ff1b3b768bfe

                                            SHA256

                                            e27593017836f9fe3ef82771d05b904be17a5f5524b94c31692cbb0be3aaf667

                                            SHA512

                                            52306d2e46700e56d7799e3de1bcb14c0917581829567623d32d9a5776ff6c0864b3c7371fa69b48e65b4f87e43ba762ba5246f1be00c701e118adbfbe052cec

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            276daca5b52119a1632eecb9c7c4bdf5

                                            SHA1

                                            4d4fadefea8d57c0df64340fda0c341abe038551

                                            SHA256

                                            2ec02057ffd40e1ac15361818f3cf392ddb9842f47b0d59f965e5fd302af22b5

                                            SHA512

                                            a37fe563a9a9e6057222dbb5a572358eb94fce974d2cfced326fcfe14488a1ec9e5cba00584b0a09471c5c775e0eb2347385c669134897e0464c2ab363343dca

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/320-228-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/320-227-0x0000000001170000-0x0000000001280000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/780-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/780-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/780-14-0x0000000000430000-0x0000000000442000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/780-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/780-15-0x0000000000450000-0x000000000045C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1112-529-0x0000000001200000-0x0000000001310000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1640-469-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1640-468-0x0000000000130000-0x0000000000240000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1760-648-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2292-225-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2360-348-0x0000000000180000-0x0000000000290000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2420-165-0x0000000000200000-0x0000000000212000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2420-164-0x0000000000D80000-0x0000000000E90000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2632-75-0x0000000001D40000-0x0000000001D48000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2632-74-0x000000001B630000-0x000000001B912000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2776-408-0x0000000000090000-0x00000000001A0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2844-288-0x0000000000260000-0x0000000000370000-memory.dmp

                                            Filesize

                                            1.1MB