Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:35

General

  • Target

    JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe

  • Size

    1.3MB

  • MD5

    7fbecde0cd3ee62936f18b741302c01c

  • SHA1

    f400947018e502902749900aaf957e8a50065e69

  • SHA256

    bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697

  • SHA512

    13929bf3e4b8856705672acfb51177f0b3140a2ed0832ce9319bdbb16365367a6858e6dd6bbcc520bced3852721395055a059615449e34688d360c4264871ea8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KGsCHCwju.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2864
              • C:\MSOCache\All Users\csrss.exe
                "C:\MSOCache\All Users\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1528
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
                  7⤵
                    PID:2656
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2756
                      • C:\MSOCache\All Users\csrss.exe
                        "C:\MSOCache\All Users\csrss.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2208
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
                          9⤵
                            PID:2628
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2800
                              • C:\MSOCache\All Users\csrss.exe
                                "C:\MSOCache\All Users\csrss.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2268
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
                                  11⤵
                                    PID:1320
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:3008
                                      • C:\MSOCache\All Users\csrss.exe
                                        "C:\MSOCache\All Users\csrss.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2116
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
                                          13⤵
                                            PID:2444
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1612
                                              • C:\MSOCache\All Users\csrss.exe
                                                "C:\MSOCache\All Users\csrss.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1572
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
                                                  15⤵
                                                    PID:1980
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1784
                                                      • C:\MSOCache\All Users\csrss.exe
                                                        "C:\MSOCache\All Users\csrss.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2800
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
                                                          17⤵
                                                            PID:1148
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2620
                                                              • C:\MSOCache\All Users\csrss.exe
                                                                "C:\MSOCache\All Users\csrss.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2768
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
                                                                  19⤵
                                                                    PID:1768
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2444
                                                                      • C:\MSOCache\All Users\csrss.exe
                                                                        "C:\MSOCache\All Users\csrss.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2764
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"
                                                                          21⤵
                                                                            PID:1152
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1544
                                                                              • C:\MSOCache\All Users\csrss.exe
                                                                                "C:\MSOCache\All Users\csrss.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:788
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
                                                                                  23⤵
                                                                                    PID:1440
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:1656
                                                                                      • C:\MSOCache\All Users\csrss.exe
                                                                                        "C:\MSOCache\All Users\csrss.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2140
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
                                                                                          25⤵
                                                                                            PID:2320
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:3068
                                                                                              • C:\MSOCache\All Users\csrss.exe
                                                                                                "C:\MSOCache\All Users\csrss.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2820
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2108
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1736
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2104
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1532
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1732
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1524
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Admin\Searches\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1728
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2648
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1640
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1336
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1628
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2904
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2188
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2124
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:448
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2252
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2176
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:772
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:836
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:832
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:788
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1356
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2428
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2320
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2300
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2244

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ca51e5ecc706cfb94fa5d64ad951df76

                                              SHA1

                                              1b9706858ad6233f72a1e5f9a195d7da18020bba

                                              SHA256

                                              6786d58b4d3a73fdcb821ac44eb0dce3872b6035ed3944a1cee6aadb6a13e1c0

                                              SHA512

                                              f1f754a85858ddce7c91bcb5bb2d5ef80b9d8ef3f741a392652b42ca731c5305dfe011bece42859c2a89f2511c9e0bb36b1633291e4f019ed384d59589dbb302

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              44af11b9b5912fc50725d239f2a5ceec

                                              SHA1

                                              6c9e797ff4d11835537c78123a98517bcec2c14a

                                              SHA256

                                              1c01ffad43cef1f273c9bbe46f06a3eea41f0ee094a7affb52550ace05ade476

                                              SHA512

                                              2ed35f791260349fab9de02ab7a792bc88a45a3f63c411d57382fd0e55bbda4346e6f3d7b17b5d3b72e3dcb0944fb0fd3d9070df18e8afa809a06f0f40ea2870

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              917202e1623cae29166d943ba29efd87

                                              SHA1

                                              9a32749d6b2f09fbbf2b7dd6b240eda27279dce7

                                              SHA256

                                              9598514a16c86272e7c4fc35750107027c3e5ecf757fcc7fe50bd21f076e2b68

                                              SHA512

                                              92eaa8eb3ced734c5ae44fdd0ede7c06755e6a2d1ece9938a26e39655475a653e0d7f4b410a1f77c895ed5a5c1ca7cc0ea4bf0b35b4f6d4465bb043a90620a78

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              168e4c36b24d80b676c93e4c703e0531

                                              SHA1

                                              4bfc9e5504612b55b7176ac22a7511e3f84071ae

                                              SHA256

                                              367acd9c7337facdf15d61e98b852ab08c7d5ab11720839fd6a64543c364b079

                                              SHA512

                                              f2fc1d555e5ca52930e24edd9ae51934fb13c46f9d0ed249c2ca38529cdb7efb5f1dbee0bf111b4050d70901f6c27e4e108b2c0707fba7afd0a8b67a13cacc37

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              182c58b076c9987080e40b2c2253d907

                                              SHA1

                                              4c582f11b65840cf8f8723a836051418ef7086ca

                                              SHA256

                                              8dd6ecee4e58ed4feb6d33b82ce2207b88fae8fe9087951f014bc3393c8a3ee1

                                              SHA512

                                              0bd409c551a195a8c15681b55afdfd9534e5744788ae5a5b83cf9c38e2f2ddf397db1f64c5f7593333efea745ef1e4530e28b3ea66fdf4fa43ce77e7e2f8b20f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              78585aac158ff9eb859b1b33843c7f49

                                              SHA1

                                              1692d0f01565f922ddf78501a32e26af7fc11815

                                              SHA256

                                              f23761bd710eab14475471f0c6b5da3b567344dac419a6950c88426e4914c0e6

                                              SHA512

                                              b7ba46dca528f160d587641a42801837745079a927fb1cbfeecf009f528917f461dc623c458fe67bc0c7ec84e27a15fd3f676f8894b18f459c6f183266ad851f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1a142fafacf58ae23c5131e8442be69a

                                              SHA1

                                              bdd9118c8024b68ab8acdd44b94ee7b68a591c5c

                                              SHA256

                                              6dbf9c8c19f9609b8610b445eb526290be90ff49d1eba097919e550355207f32

                                              SHA512

                                              1cd1e6c632ba5763949c34df38b060fb96fd4855cabbc7c473e0c6a293a882741e6efef925574e9f2b72644d46e6ec2ae25d9b5fcd96ca09037b9df0b94a038a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c5a5818a8becbaa63a4a4c5da444a91d

                                              SHA1

                                              49da1e1750bd28f12da2a8f252ed1f9cabb799b7

                                              SHA256

                                              e0c4471a776fd175fe4a9adc75a8b0c6ed6a37150e25eda886a60c03910ecbdd

                                              SHA512

                                              8b9a6bb7c9b8ee465210ea02c5936753ee6a6f011db16088bfcb357761fe6bac505987658465c6afcfedcf1b1f367ed238c63b7ef4f1633eafe15b272ae024e6

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              eb5df8aae489e940c38e843eafbc14eb

                                              SHA1

                                              ee3f56476f8d7f9a7685ee0dc385bfc9f5379c35

                                              SHA256

                                              e964e43af02b8078849d5c1f532550273d4afad34d4b01295e62a9a1c46f4eb7

                                              SHA512

                                              dd64d4f062cf8f323be38a615b69af34f7e4ffa4a7e1c06b813bbe16a802e066a2d4b95df6c44dac24c762c92c85f27ea7cb74515481bf5ecc1437b63e2d7cb7

                                            • C:\Users\Admin\AppData\Local\Temp\0KGsCHCwju.bat

                                              Filesize

                                              196B

                                              MD5

                                              67779d61ff37ed66cf3d5d97e771c5e5

                                              SHA1

                                              2311bb6f925f72dbcd078f3b3c5c5a8d4769e0ac

                                              SHA256

                                              55b315c5d77c6de423bcc3214d573591bf3ba80e60817655251c7c557fce9776

                                              SHA512

                                              fdeb7c7e6701c44182afaa3ddd29ff90e013affe174226d757b4b3c75ebb405834afd666dd440001b0e94a8c41f4bc527c34f8df4536a732270dde8050ba3a39

                                            • C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

                                              Filesize

                                              196B

                                              MD5

                                              b0927cbdf007f1d37bfcefcb8d7e582c

                                              SHA1

                                              8379cdbe85a4672191663a96b84e9289959ca952

                                              SHA256

                                              684b359c9977849432ee5a80f7009f466c7efdc67768c6e7f8e213213e7790e5

                                              SHA512

                                              09f4189da0fc0007b76b278026427ba7757cbe9ae8787d24d8eb86f1fe73ad86fc4f0ac490525a5aef4539932ae8353250b48c30538a14a0b50c5fe1d7add787

                                            • C:\Users\Admin\AppData\Local\Temp\Cab1306.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

                                              Filesize

                                              196B

                                              MD5

                                              1ed0e4d8a478d89ca54cff89b76dab36

                                              SHA1

                                              e107c455805a1a00a0179032267a3aeb9bd92281

                                              SHA256

                                              330c38f11d2c018809b1e8168068ca5ecf855e9d6023534ee3d2d93bc767a07c

                                              SHA512

                                              bf73cbbec56783b3d837788f336a85b7ebed53bbe334806d877793c0d0db4c594725cd7813bab9d8aef523e9316f116714da362bb3786a4e2ae67d4c0a2d8d7e

                                            • C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat

                                              Filesize

                                              196B

                                              MD5

                                              35894975a0fbe0d7088b9f4ab37c8854

                                              SHA1

                                              634aa037f64300ea32f0dcb3f06041b49054cf7f

                                              SHA256

                                              54fdd2124ae1e70f887f885ab2395256fa0fc5c748fb87a56e3460982e45b78a

                                              SHA512

                                              cade0025e431a1135183599c17d2da49148ee4def0b11c0743938a2ec5aa1caae8baabeb42ada48a42ced65cbf1e7aeeff5338448a01d75c6cf5f0ad73d2ec77

                                            • C:\Users\Admin\AppData\Local\Temp\Tar1319.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

                                              Filesize

                                              196B

                                              MD5

                                              a22aee161ce6f52ed5cdc6c26921f2fb

                                              SHA1

                                              b6db42e4d7d86103133a7b299cb0480b548c1e13

                                              SHA256

                                              53773ba10ac9018a6b4a0d8dcab837a2b86ee57d318b2fe909eb69a1ebe2d5f6

                                              SHA512

                                              f0a126bff06271fbea484f1160afc89f4f03c8724efcb4b80706ff7f92cb9d76cd58335ba1a9ee90b4b5566e8d463fe7a74d437e0624a4efa51eb79a3c79cd66

                                            • C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

                                              Filesize

                                              196B

                                              MD5

                                              8470e15fbd96280fae02631b96d4745c

                                              SHA1

                                              69f27412a81f9bf7810ee16889bade877f4815b7

                                              SHA256

                                              33fbcd0d0ea9a8d8aa59e6e1d5833be48157a9ebb7b9818db46b2b45c1f14a8e

                                              SHA512

                                              7ba3875b100dd28dd533339b79a9b4659f3aa203d295d41359f907a2cf150d3067055fdcbdbd12ee9766f29c98ce0fad2901cb16053606f34195cb4e463a10d4

                                            • C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

                                              Filesize

                                              196B

                                              MD5

                                              7e962ba49dcb2ce81e0d970c4299b199

                                              SHA1

                                              de9d5cec67dad242a6e2125dffc40fa0c4d741c1

                                              SHA256

                                              156e4c9cafc8e69bb8421ec18f0172215682114c5227ed05eb677ce239abd26d

                                              SHA512

                                              bc012d44064eafcf02984574f863d65434035bd8d7409376815b478bbfa8a444ffddd742c8b7cf8a6cc4eaa8dfb6d1532ff04cbac4e785a74bf7f3ba9eab7d91

                                            • C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat

                                              Filesize

                                              196B

                                              MD5

                                              6768b4db36d46e447e9d62614e58c15c

                                              SHA1

                                              3354214ba7744cfec2e4a4d72cebcd703a0d2dd1

                                              SHA256

                                              a6dc5cf9aa87e7fc265ca14155821f2077c818044d382a071954c0789729e4e2

                                              SHA512

                                              ac95ca1227b0155ccbbb28d399f0d735367d7881d078891c12a839ab75075c24896ca22d39d6e1a51904c098f379bacd160f2ff8f34e967244eaf97912c6a198

                                            • C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

                                              Filesize

                                              196B

                                              MD5

                                              d8f802b8e950abf099fe98b02c3cdee5

                                              SHA1

                                              e7caa1dbe5af07c3df615b90d478ad64a86b1464

                                              SHA256

                                              145b8b96fdce990009b13a919a111ae1ae5041f79e28d71075d2b8941923fe18

                                              SHA512

                                              180b777b83012b55f3418bb76a9b63bd23b91bc365eeb6555c752fc0f84bb21530e0456f302831c1424b4c247bfba915813e46de3213bd8cb5ea2e513434ddc2

                                            • C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

                                              Filesize

                                              196B

                                              MD5

                                              800609394c04bb396df235b365b78891

                                              SHA1

                                              829517853d8255f15706dabf8fb5fe0745f24987

                                              SHA256

                                              54972110b958ac0462c8e170692681a831fabd3d9af051075dd853403898df1c

                                              SHA512

                                              aa9d1d0dfafca87e4f28f6dc4f08b52d713c44c0ab844633d60cb3f036477fe966ef015c8f8f72e056b073a6b801e13411243ebe3f054e4f6a1443a252b68cd7

                                            • C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

                                              Filesize

                                              196B

                                              MD5

                                              fb0b9be02e499d5c6041b8f6114bb3d3

                                              SHA1

                                              de5f23cebf630a70902856bc64f53bb1be07be23

                                              SHA256

                                              35dc609c3a53b82646dc8cc5d9f8098cfbacaecfe3617f0843435fceec3b7b40

                                              SHA512

                                              1f2908ec13c2d19f5d1f4fd973e8662b92c839ad1518b4297ba17cdf8de50bb4de9fa93c8f576f57df5524ed61eb9d54ee17191446290596a49fc5ad8ee5437b

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              94789fa1434800d3d98da6f7c91a7fbe

                                              SHA1

                                              52bfc0f50a961887130433b8b381ce2ceea05187

                                              SHA256

                                              0c5b8c4bc494e6dd2b6450b899e90a79d579401c29901a85028a2eb81b2ff8a7

                                              SHA512

                                              529248963ad61139fef166db2598f202c97a40e6aa0f6990e68e028777631f3a557d5dcc17ba75fc95b97f923c1fece010787c4d1a8f1bf573d2870bdc0fac42

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1004-66-0x000000001B650000-0x000000001B932000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1528-137-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1528-136-0x0000000000C30000-0x0000000000D40000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1572-378-0x0000000000E20000-0x0000000000F30000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2028-68-0x0000000001E80000-0x0000000001E88000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2116-318-0x0000000000460000-0x0000000000472000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2116-317-0x0000000000020000-0x0000000000130000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2208-197-0x0000000000350000-0x0000000000362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2208-196-0x0000000000360000-0x0000000000470000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2268-257-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2424-17-0x0000000000270000-0x000000000027C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2424-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2424-15-0x0000000000260000-0x000000000026C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2424-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2424-16-0x0000000000250000-0x000000000025C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2764-560-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2768-500-0x0000000000350000-0x0000000000362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2768-499-0x0000000000030000-0x0000000000140000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2800-439-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2800-438-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3032-738-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                              Filesize

                                              1.1MB