Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:22

General

  • Target

    JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe

  • Size

    1.3MB

  • MD5

    dab58b486bea84b9ec67d457ca986a25

  • SHA1

    9ec96b143ecb603f8080422c27a4f54d15cc218b

  • SHA256

    4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498

  • SHA512

    afe599aaae0b518533eb1cd76933d7dc0ef29a418cc886335a3f77b17d157b08900ee04e9491451a0f25341f7682ea1dfc68ab47dc2854e4dc90e649a6d75900

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 13 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nbmyZnkczp.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1452
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:624
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1212
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2816
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2232
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1648
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1232
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\MediaRenderer\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:668
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2092
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\de-DE\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1876
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1828
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2116
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2928
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2088
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:960
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2604
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1712
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:636
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2376
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2300
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2600
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1884
                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1584
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
                    8⤵
                      PID:836
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:832
                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:376
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
                            10⤵
                              PID:2908
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1076
                                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2488
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
                                    12⤵
                                      PID:2100
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2436
                                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:624
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
                                            14⤵
                                              PID:2612
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2932
                                                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2584
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
                                                    16⤵
                                                      PID:1808
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2972
                                                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2180
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
                                                            18⤵
                                                              PID:2012
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2920
                                                                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                                                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:404
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
                                                                    20⤵
                                                                      PID:2116
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1604
                                                                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                                                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2340
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
                                                                            22⤵
                                                                              PID:1824
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2504
                                                                                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                                                                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1860
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
                                                                                    24⤵
                                                                                      PID:2672
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:964
                                                                                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe
                                                                                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:352
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat"
                                                                                            26⤵
                                                                                              PID:1664
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:2860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\de-DE\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2072
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1108
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\de-DE\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1416
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1152
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:556
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1904
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2952
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1320
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2664
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2092
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2232
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1160
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:772
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2140
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2132
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1876
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:668
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1828
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1180
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:960
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2100
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2652
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2376
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2500
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1564
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1160
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\MediaRenderer\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\MediaRenderer\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\MediaRenderer\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2576
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2200
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2788
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2516
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1776
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2908
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2368
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2416
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2212
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                                PID:2832
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1636
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2844
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                  PID:1076
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                    PID:2324
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                                    1⤵
                                                      PID:1756
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                        PID:2440
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                          PID:2864
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                                          1⤵
                                                            PID:868
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2248
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1528
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'" /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2556
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1040
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1744
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1472
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2772
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                              PID:1248
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
                                                              1⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:592
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                              1⤵
                                                                PID:2108
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                  PID:892

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\c5b4cb5e9653cc

                                                                  Filesize

                                                                  929B

                                                                  MD5

                                                                  2534cf3cfcf450730ce8eaeff65c6580

                                                                  SHA1

                                                                  1b892dbf709b3b1f795afe859a9d800276ef259c

                                                                  SHA256

                                                                  9941553200adeec9bacaca797b9a9597671158047ab46be721f1f066f0aa52b7

                                                                  SHA512

                                                                  529c9df20e0b73eac9ba7f4829bbbefcd4f3b42573984228481af73065c98ac5ff7454b25c49865b821284081528bf1cf2d8f297c1259479b97f9cf8a2b9a0fb

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  b49f0c8996aadb9f7aede700deaef6c7

                                                                  SHA1

                                                                  ea4d4614eb968b9c4f3553e02f73c2b6c5c0fba3

                                                                  SHA256

                                                                  77dfdc3955e1acfc4eaefaf0a31d405029c767f48bc9de287854d857de1f007c

                                                                  SHA512

                                                                  0d692866ff4885bd495641c6d11f3519b2000ec000d4cdb056549212cb00d25fb66711cf4fc3f71f2d6b4317a5fbe18311f3050af86d5c04dd53513fb978bf28

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  f69b9c85b4e76c69fb27c5ecc4523934

                                                                  SHA1

                                                                  c1ce06e502bb0e4272ed8b905cb377b79ee5ecef

                                                                  SHA256

                                                                  e73122953ae9033d8a110f4b0dbe46707c09c96df5f7a1e34649044329a646f8

                                                                  SHA512

                                                                  c7ea694a682bc335c644e175e612cee4e69346d8fd095626906b555918d2b1a0da8f0cb23eb7ec2ab4dcfd4f4c34bbd31dbc9c51bc474849b7b06df76827387f

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  a26e8ef0bdba939a6459af3c0f7df2a6

                                                                  SHA1

                                                                  fa0e35c19d6c159fd24d5cb4f5e42779d94a11f8

                                                                  SHA256

                                                                  b7a97055bda482d5e9a71c4f22a5bdd4b1eb5622dad581fdd15db867adef9102

                                                                  SHA512

                                                                  bcb411062b91815757cb5d66f39b4c6e6c7cff644be8f87457c717cdefe7fae7a8b99dbddd5c02938fb95b9fb7a84e9b3e3c45871e7dd45191e7281202eaa9e3

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  67ad2801ee04df853fa5931fe7f66844

                                                                  SHA1

                                                                  fcc30f38b24dc8690977f833b4ebed4baa23629a

                                                                  SHA256

                                                                  33a3600906e1241413d81fd2422ee263ff9b7bf48ce30c0f9aa6f8ca77ceb6a4

                                                                  SHA512

                                                                  44007f36a78710ae81ebadc3f5b37ae0833745ce04b2e3bbafed845e95239e5eed00f4425f6122dd76040962ed28abaafae82d84624cb3e14b4786417234895d

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  78c060477df1cd74aad28a2bc01df604

                                                                  SHA1

                                                                  50a39fe4669534c4399742f9a130943ce2245638

                                                                  SHA256

                                                                  3aca677c4498ed1c4cebaa4a3dbdf376f94e7b8e8497c5af3d7ecde9ddadfd28

                                                                  SHA512

                                                                  7afbd0077b9441cfa6651a827e4af0cc0ae0bb97665bb6abc172974f988fbdc6dfdd29267ee37ab2af7b43a1eb52f16db93c8b7c2cb25454bb45f7017bf72f5b

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  c7ccd1a5df81b280e3c628a1b3e130d1

                                                                  SHA1

                                                                  e28c13fc5b54199e65885be1a8a08a9cee47b611

                                                                  SHA256

                                                                  948b3bd2390c170e0298b3a444af6aa381357f2e5945eaf66a6b5d0319055117

                                                                  SHA512

                                                                  710e779385b41d2580f2f90c491ff38a989acf68daaf6faa64b41e2fdee57075f1c4ed2dcca49612f07aeefea253257efc22e5cbb353769389af4600344aff30

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  7e76f5dc74d2b73a00995d3cee4f16c2

                                                                  SHA1

                                                                  69e5a9c2e98ec31ef994f8ed97c47d12568987f9

                                                                  SHA256

                                                                  427407e239c167883703a9feb565e57b583cb53343575561e6bb3a5722df6de0

                                                                  SHA512

                                                                  c69e464208eeb01960658f07851758921961a86dce4287045622fda40f016c43084bd606d7ed820e32f7eaba251329356c48982470ed0e3961d42877a65f787b

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  49f7aa8ae690ef93701d66a0a543ac2d

                                                                  SHA1

                                                                  d5cbd5334d6e149e14de4bc95adb13fd60ebf024

                                                                  SHA256

                                                                  c8a5a347a9a19bf8e3ea61f314fcfda44705861c8ae361ccf051032f715ceefb

                                                                  SHA512

                                                                  504ce0cc8e183142079c4c7f87f1807899444263d3b5ebbe4150456f2bb834a7e3306225e2759b473300aa81cc8224fa401ddbeca9de45c8f10fc223c31588bf

                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                  Filesize

                                                                  342B

                                                                  MD5

                                                                  d7b0e1f04cf6114814fb3703c04a98b7

                                                                  SHA1

                                                                  0f3c2b8169e61b6bca5c8e961f5560b7b7e88d88

                                                                  SHA256

                                                                  11e90d35e1ac69192b364653e46a701a360da81dd93133ffb8ceabeadcec1b2d

                                                                  SHA512

                                                                  4fe8a19aebd5b924965e23f012c3cc0cefcb38552c9a54360476214cf2ef521a6a0177c96d47b2fd50c1ea1753d551127033d845e44b9ad208a081d50bbff55c

                                                                • C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  536bd2f3960b3b54ff347b4dfa4295d5

                                                                  SHA1

                                                                  17cc8cb490292fb3e450128433069007a23be7cf

                                                                  SHA256

                                                                  4b894e38145b1c4731d7b739284daba41c1f91ab04d55bd23c26194127598f84

                                                                  SHA512

                                                                  868f056baf551b14d06b147288406f95720db20927f269d50bd345f73b44a587b0a05b5e621f7eb5780a3471d4b358416add208a9f890d97ccb6a4a89417e82c

                                                                • C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  cd6dc5c130b20dbc7d27ed85ad1ba9e4

                                                                  SHA1

                                                                  c42cf2025dc59aca7f5620e059759114df8ffcf3

                                                                  SHA256

                                                                  be3d033a4445aa116583999e189464801ac6286f8f6707228e2401bd4416743f

                                                                  SHA512

                                                                  ce263672340803affbc35cc6ea3b608beba689161bc256c1d0ab278c40f5cb6396c56064a434d9f636a0e32f3faec31fc6a5eb96e2fb42b71dd42052ad36d542

                                                                • C:\Users\Admin\AppData\Local\Temp\Cab6BFE.tmp

                                                                  Filesize

                                                                  70KB

                                                                  MD5

                                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                                  SHA1

                                                                  1723be06719828dda65ad804298d0431f6aff976

                                                                  SHA256

                                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                  SHA512

                                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                • C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  3737649dd7ca3f9635887acdbf429356

                                                                  SHA1

                                                                  d916caf3f780417514984895d57f2d978d511aed

                                                                  SHA256

                                                                  1aa136a74c419183cd35a181ba25859ecff9bb9f6cfc7f11fb4c46c885a4edc6

                                                                  SHA512

                                                                  ec50c78fca1522cfc93f4839adff9eb2c32649e5b46f63453ac949775021effdfce67869243558235089c29e3ab568c380732fb43a300224d87beeb2bcb03963

                                                                • C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  71f8d277783db89147f5aa6aa5389e06

                                                                  SHA1

                                                                  8eed5b9a7a8c7fc22affeeea945c24bc7d672a5b

                                                                  SHA256

                                                                  0bf0bc939b929d5ce0577f0c8c1f7a7b073dcb78eb723a98e80d6682706c7773

                                                                  SHA512

                                                                  fe2a8bce0345367d96fb37e75928b1489212d62baf7cb4dad0c1376fcb8ca265c7639bd31a5a882b986fce85d84d09f6fa8a49ed37cca4be92ae505584b2ff5c

                                                                • C:\Users\Admin\AppData\Local\Temp\Tar6C11.tmp

                                                                  Filesize

                                                                  181KB

                                                                  MD5

                                                                  4ea6026cf93ec6338144661bf1202cd1

                                                                  SHA1

                                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                  SHA256

                                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                  SHA512

                                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                • C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  3d051572841c9a7eaad2545ca20e591e

                                                                  SHA1

                                                                  c21d06f7cadddfd7bbbc0af28012c33bcff935c6

                                                                  SHA256

                                                                  0c84ec8f4868d0993ae0f022c6812bea6695f8d14724b6df824ee6574bd1c108

                                                                  SHA512

                                                                  63a04c18ad20ffecd4401f445f2e01a5414fbb022c9ce6ed54a8172cca0a5761dde14ad4a6eda2cf224e2aebe4f985dccc61a2692e8d2af7da6438f8dd221d36

                                                                • C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  c547c67a53f54c309b12805426c4a24f

                                                                  SHA1

                                                                  82667f1fd18a94b7335961da794957f34b20971d

                                                                  SHA256

                                                                  d09d1ad45968de9586bed2d5758d04ec469cbaad4ec16a9fbd0eeeee26c51066

                                                                  SHA512

                                                                  eaece2229eefabc65a10e4e173762b38c4ab8ff9f76ff7c6f9cd4171fb8008afe9436c4129670f469fc2a216754003a070172e5be3aa3ae3f73e5245674fd8b3

                                                                • C:\Users\Admin\AppData\Local\Temp\nbmyZnkczp.bat

                                                                  Filesize

                                                                  199B

                                                                  MD5

                                                                  06b52732425fc6e674e07f1d9e3e1334

                                                                  SHA1

                                                                  aa6f6370642ec91c172dc999104560b6423df243

                                                                  SHA256

                                                                  4579cbf7cc482bdcc8fbcb10f8636c7f5dad387be330eb039e11a519b5e51396

                                                                  SHA512

                                                                  01bf8cb8a6465e207bd18eab985ef7f5123af6417089a72742c2883c0cfc08dc62361b585ec4d9dfad87c61ee0a32dffdbae61ed7c19405213d699dc4feaae39

                                                                • C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  246f8625e0ac7b5534ac2e84f40ec2eb

                                                                  SHA1

                                                                  8bae2504f0e3d0cbf42eab6040a06f637d1866d4

                                                                  SHA256

                                                                  03c42ae12a95b9abb60958a476220a929c0834451fbf3906574d109bcd0830fc

                                                                  SHA512

                                                                  90796fe421819e35bd6290b9207a9aabdd38e156c328cc5f944c9bc45439d4838e50b2f7dc15060272a1f5ac2b1bcb358606a61fda7723e8631654da572e2e38

                                                                • C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  6ce7688005723ac06a7b073de815efce

                                                                  SHA1

                                                                  45d040cd5ba031c0f3de454df84b733530af866c

                                                                  SHA256

                                                                  dc2f6c607662afb1e53d1367ae80da835bb967e4af892710c5a5e93281c63b80

                                                                  SHA512

                                                                  355efcb31618f95b1048d9c24d102c07b7b479d6b58aba821a62e97000da32c7c39ed5fe666cfa6fa10045cd33742f67b6e3f5be330cd6e398fad8b31a50960e

                                                                • C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

                                                                  Filesize

                                                                  239B

                                                                  MD5

                                                                  a524633558235d1d74a2dcd53a0ff142

                                                                  SHA1

                                                                  88ae65300c6ba44abea19438e1a512807bb5183e

                                                                  SHA256

                                                                  c82b6fc93d1578aa8e07cd419d0c081f6b8cbe3aafa424a7ae220129226919b8

                                                                  SHA512

                                                                  bfffe11f1edfc6649f37c2600dd6c37480b1c1199d3ceeaa5dbcc16386dd392ed5dcc779d6c1abd0ad309a681355bbab9f1f44f6a48f10d7131678ec4170b1ad

                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  6375a0456397b0326195ff3f945e3862

                                                                  SHA1

                                                                  cc62656c6263c068b2565bbc63548a35a339a471

                                                                  SHA256

                                                                  f0fb1864f7db809ec3ca5145ef38169718086c71cee7deffd01241022d52439d

                                                                  SHA512

                                                                  8f899fbd43ed8317d23c97367b779e83d639c03d30c14c85ff6b2cdb9d193aa87ef78127b40ba3cd745f6e949125dc5d0895f65b3b39017cc32c7e80e102bcc5

                                                                • C:\providercommon\1zu9dW.bat

                                                                  Filesize

                                                                  36B

                                                                  MD5

                                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                                  SHA1

                                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                                  SHA256

                                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                                  SHA512

                                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                                • C:\providercommon\5940a34987c991

                                                                  Filesize

                                                                  223B

                                                                  MD5

                                                                  d6f4342c769b6a2c68e8eb6ed47112c5

                                                                  SHA1

                                                                  299594195204170688a10a5f94b2fe350fdad812

                                                                  SHA256

                                                                  3dce7f286c76941f922a9ed62f54a329463ddbf86f0f172be1d5b92827a9e967

                                                                  SHA512

                                                                  51cc5d4df0e9d2509ab36e4e58868cfcd9082b2e20e80df14369f48d5061768a15d6bf35566ccc7dd678c3c5d269f8cf151243b9e660f78af67430c8d5d86903

                                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  8088241160261560a02c84025d107592

                                                                  SHA1

                                                                  083121f7027557570994c9fc211df61730455bb5

                                                                  SHA256

                                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                                  SHA512

                                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                                • \providercommon\DllCommonsvc.exe

                                                                  Filesize

                                                                  1.0MB

                                                                  MD5

                                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                                  SHA1

                                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                                  SHA256

                                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                                  SHA512

                                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                                • memory/352-783-0x00000000009F0000-0x0000000000B00000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/352-784-0x0000000002010000-0x0000000002022000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/376-302-0x00000000002A0000-0x00000000003B0000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/404-603-0x0000000001070000-0x0000000001180000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/624-98-0x0000000001110000-0x0000000001220000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/624-422-0x0000000000B60000-0x0000000000C70000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/1584-175-0x0000000000C90000-0x0000000000DA0000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/1784-76-0x0000000002660000-0x0000000002668000-memory.dmp

                                                                  Filesize

                                                                  32KB

                                                                • memory/1828-156-0x000000001B710000-0x000000001B9F2000-memory.dmp

                                                                  Filesize

                                                                  2.9MB

                                                                • memory/1828-163-0x0000000002340000-0x0000000002348000-memory.dmp

                                                                  Filesize

                                                                  32KB

                                                                • memory/1860-723-0x00000000008C0000-0x00000000009D0000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/2180-543-0x0000000000040000-0x0000000000150000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/2340-663-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/2392-60-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                  Filesize

                                                                  2.9MB

                                                                • memory/2488-362-0x0000000000120000-0x0000000000230000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/2584-483-0x0000000000550000-0x0000000000562000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2584-482-0x0000000000C70000-0x0000000000D80000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/2820-17-0x0000000000340000-0x000000000034C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/2820-16-0x0000000000320000-0x000000000032C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/2820-15-0x0000000000330000-0x000000000033C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/2820-14-0x0000000000310000-0x0000000000322000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2820-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp

                                                                  Filesize

                                                                  1.1MB