Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:48

General

  • Target

    JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe

  • Size

    1.3MB

  • MD5

    e47a9049e6ce57ce55e007018ab5fadd

  • SHA1

    4f1f26d30d411f4a84a392fa5f2e1d106f678a68

  • SHA256

    0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0

  • SHA512

    b3d913f2b1e433f88420fa5cecc25dadf9d82059898ded0698013d4f6cbd29e254b19b1982a1e70e1f7509153a5b5c8b7ee140d245a80f89d0b6a10904e0bbd1

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2360
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9s17GBcp13.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1668
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1252
              • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2504
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
                  7⤵
                    PID:1728
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2408
                      • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:448
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                          9⤵
                            PID:684
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1772
                              • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2780
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
                                  11⤵
                                    PID:2788
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2280
                                      • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1760
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
                                          13⤵
                                            PID:2760
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:3032
                                              • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                                "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2128
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
                                                  15⤵
                                                    PID:2620
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1588
                                                      • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                                        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2936
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
                                                          17⤵
                                                            PID:3008
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2984
                                                              • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                                                "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2788
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
                                                                  19⤵
                                                                    PID:2716
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1112
                                                                      • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                                                        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2288
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
                                                                          21⤵
                                                                            PID:1216
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1924
                                                                              • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                                                                "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2228
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
                                                                                  23⤵
                                                                                    PID:2088
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2940
                                                                                      • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
                                                                                        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2720
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2604
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3032
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1072
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1140
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2228
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1252
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2516
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1924
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1920
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1512
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2596
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2116
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1888
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2076
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1572
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:844
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2428
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1520
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2160
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1560
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2452

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2d70d7f5f0ff61374b0b525057ee1686

                                          SHA1

                                          a910ed8d6770e02ac22bb47eb5a494d7ce3c4588

                                          SHA256

                                          aebfca571f05ad8bfd976069545987615d8be756112e56c2edac9a88489f3246

                                          SHA512

                                          042fd29c76093462f6f385c84b58d3ea31a6d50f8c2d69f9518eb3845253402e760a3650bc4e888b37d06483f1133b1c1b905bc9d145f99664be6af581dd9133

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5496360d5b4360d9403d864edd07686c

                                          SHA1

                                          51854f9e6a0618657e21e00f0b5b99fa8ad81c0a

                                          SHA256

                                          0aa195514b0e6e34382264ea7d128bea5327db4805da7be41d24069234fca434

                                          SHA512

                                          2ca9d228a1d169b517887704ddce8738f0344246fa9469b97a9dd3c0c442a4a1553f2a43aa7bcfe1f7d7333852c65cc0b48ccba435efbe297868728576a5e031

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b5d8bc934cef106e1eb52292a26aff0a

                                          SHA1

                                          65bc65d4b21f26eb16dbb27cc3a0557d33eab75a

                                          SHA256

                                          0b20d2a1a55e34023986593f8572badc2a551bb6b65cbff9191b6faf9ae4356d

                                          SHA512

                                          51b9c88d5c44c2849ad8f3ded05747b561dc4e8af513dc870f8a1ef1971aa44018f8214b37cc6049ca08e12f694cbee00d08931b3024c03d84851a01025486a7

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          cfcecbb55c0909cd6061b0b54fbdd6af

                                          SHA1

                                          acaf95fa998fbd878293e8e214b78527d5cc160a

                                          SHA256

                                          8070a8e106317cada56e8db7065cf08f8c164c4b2814694cdf305101420d6415

                                          SHA512

                                          d60c702a2893496f0575d67ca0d44b08549f6e6819f73afa7080dec2584446fa00eb638a572d8e69df2acd3c6610ac0684381bfbeed5e2667176efa92522db6f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9ba6bfcc5184227654f4a4b3aa77ca41

                                          SHA1

                                          1867244f89bb76b804a1199c1a9ec0148167e6ad

                                          SHA256

                                          d8c277577b106d99f2d5d555af74a642ff83d4c17b59151099f214f4d5b02be6

                                          SHA512

                                          654c39ef41941e8b845130f6c2219913c34d1b07f42de3dcd3ca4ecd45597c4a0efec76bc7dbc71591b00c79dc2d592f23fa99a98cfdd5da782358969afc7109

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          815b0b10690e8ac8d29801c7d612d04f

                                          SHA1

                                          42885b92849b7a74cdd9289e0bbcbcf647c49d5d

                                          SHA256

                                          160cd773f04791baea470bc2b11cb926c5879f93aebca539c073177afd6f7d25

                                          SHA512

                                          18d3e53afa2f8f9b3027509b7140ce5e31d254ea20b3432983bcc0bacf574d20c5b32d48e09f0ea7f34c9ea8900a6c19026469b6f8f76eca126806c2ac109169

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          65f4454fa3f1176fe8deef5ace0ea32a

                                          SHA1

                                          f7afe8c0ab1b828f3f1c96f7e622350534d07d17

                                          SHA256

                                          4f3553d3034a995526970b3a049bb73e3c3fc4a41a55c2f196e1558c13a14f09

                                          SHA512

                                          dc6511dc2153df9bf5c9883f164f7043188d6d27bd7d15be1aab3d8851bca91d2d64d4adc8a7f42b684603da21031c6bedc72d8d08072a19de306b4012c1409d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          7155b242e169211866ef2d1e2fec2151

                                          SHA1

                                          8d0cc069d84f20820e900e4bc70200a3f4ecaf21

                                          SHA256

                                          23e70f46bffef7c9c34bfc4b0ca7f949ff80e21a0c437b0dbca2f93958b7be28

                                          SHA512

                                          f07b1ae317ebace0b05e6113041c653d7e760446145b1db492b3d7245eea77e703c13332d2fe35c9adf8b72b0cc853f23e9c55a655fd9f748e97fe3af1725570

                                        • C:\Users\Admin\AppData\Local\Temp\9s17GBcp13.bat

                                          Filesize

                                          222B

                                          MD5

                                          104deb44419dfbb55790794c0437958b

                                          SHA1

                                          fc4f7d9773f9aa3043489e50804c9493225fb67c

                                          SHA256

                                          ba1e29a988b537cd31e5da958276d651b2b973791a892e359c30a66d396fbf85

                                          SHA512

                                          c7396481a32eeba28e4289619cab73a9551a38e1aef3c110d0f2d5f14216098338cf15d720df951c8b2d96f35216b485e0fdd1d92d12f6cb5066c7b1db82949a

                                        • C:\Users\Admin\AppData\Local\Temp\Cab2D0B.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

                                          Filesize

                                          222B

                                          MD5

                                          4c139758c1592f95770c7d025d70ce18

                                          SHA1

                                          15c1f65bc2c8a80783c202364bd455671f7b2be6

                                          SHA256

                                          efd930535c7b0e8ae70d9e4650a14b3cd63afbf1b010ecd665b40bce24fadd24

                                          SHA512

                                          7c7fc311eca79e4e3a452386c1e30add3817ca6a43297ce3d612c080da19d6ec1477629961f64d5ac9382d7cad37370f6df7910e35c173efaa266515611410bc

                                        • C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat

                                          Filesize

                                          222B

                                          MD5

                                          17db69c70c6f0aac7077c8c9b77c77f5

                                          SHA1

                                          88242ac97e26e01a5847691edca4bd113d1683a2

                                          SHA256

                                          6a3b920ea41501c2a21834db9a6ec6ab5542704f72f737dc3729620a89ca91c0

                                          SHA512

                                          a6a910ab0f5855550e5ebac9e0b66c712ea17c51bee11992b2bf85e1056f79476b561866c85849d2848883d34e3944580c36d8809a8e56822a642354fde3111e

                                        • C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

                                          Filesize

                                          222B

                                          MD5

                                          a7bfd139b1757960387fe2146bd9136e

                                          SHA1

                                          3987bfc854817ba4f90a16619d84f60f43234e96

                                          SHA256

                                          5bf68c02354528ab3b2551d4237a13bc6279f80f0b628246b5efaacef155dcb2

                                          SHA512

                                          f508c8008189c6b10c5fbdc47d9c2495ab15e424933bebe8bddfe76aa31abb78749d44a11d069ec0ad98cdfe565a68764fed435a7628c44460baadbdf53ff916

                                        • C:\Users\Admin\AppData\Local\Temp\Tar2D1E.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

                                          Filesize

                                          222B

                                          MD5

                                          ed3174ba332a46d08339b4d1bf5baeb6

                                          SHA1

                                          a8e694f7481b41c1b59f9f07dfab20decd9d948d

                                          SHA256

                                          aad4271ad1579ab78b6034fb37f5b7a2c959a7838fbbe5f163c43d9780cb6654

                                          SHA512

                                          a2dd46fa1f5b7916a4cbef3d2d2896135798bbca60c43dd7cd9978c6b7e08544208b4f9932cd1b99c7fc4c2358e536d7ef0a31664b6c0b29f84763e0f9219b8b

                                        • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

                                          Filesize

                                          222B

                                          MD5

                                          1f5c0ec1d2e4383b9ddad622135b2f35

                                          SHA1

                                          4e50e31bfcf084a1d77fcaca41b174e46d262106

                                          SHA256

                                          583fb7ace553f834dcf4ab2ac98fe3ba7776c3f7c554e8f5f737f2bba3cf27aa

                                          SHA512

                                          0b04a0448c932711f910a2bba1e896371114ca5a54ad06cc26e6284cdffacb7644b34fe6134404ef95bb89276b7e7743b033053a33b4c0c8d15d69aa901ae058

                                        • C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

                                          Filesize

                                          222B

                                          MD5

                                          3e517d620f417af1aeb1b49eed7709b3

                                          SHA1

                                          5037c9d20749b703c3f562a9607db2b79c71273c

                                          SHA256

                                          d826f623cd9a7deb88e2d6d785b71b5973c93a1dd68ecaab145e150c172a24b4

                                          SHA512

                                          d705cadeeb1aca1361bf85f137d48cbb3bcccbf72615c1b4fba3834b8bb9db4bc9c195f6218289f6a4f8cb97fd66d8fbe045665ff695e48b5a57cc3ad1d3121a

                                        • C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

                                          Filesize

                                          222B

                                          MD5

                                          d773923a6c4819146e589b5bbffad263

                                          SHA1

                                          700d66aa4d2626688349d0d6fc7131a1ab398173

                                          SHA256

                                          78af7333c4164cdd2084008fc42da946f34e267afd0d2e155fb46be52f7b0c67

                                          SHA512

                                          00eab36289ab9689447a363d436b2207fe7d06c539655bbfd01404aad138d1888deb1c4673f675b76981d8bd5fcd4b6a35eb0fd63f629795af6aa0eefe13190e

                                        • C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

                                          Filesize

                                          222B

                                          MD5

                                          bba830f262607dde425b57ed1f73fd91

                                          SHA1

                                          31a77dd916136ce74514d3eda09c615fa5eefff0

                                          SHA256

                                          6109af1cbe68a6211e68c25c54c12905a78a2791f6c5861418617422c5023c5f

                                          SHA512

                                          6b74f83e6ed75f6837879cf68753f0a3140a7991fa6dcbc6901c9f3a541013a93dd5f329c310ce9658bad4030e646c1d6327d28aacbc1d44ca67b478f0207809

                                        • C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

                                          Filesize

                                          222B

                                          MD5

                                          33551e045d53087826345a5eda19719d

                                          SHA1

                                          4887082bbbdbb3b410879cff541d4851e82df9ff

                                          SHA256

                                          c6d8cc2d077142c77be4a5ba90fc8accd032e1a37ef9d9b8aa9d04d123cc0e98

                                          SHA512

                                          43bb64cd53332b40709a861d91e0eeb4d8f080c27a810e61fe702e654056699829195e2b154f7c8dd9ddf679dae7ab6dd18f4d7ffd26da94ec4afa670929ce36

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          cb4f4ece97bcabd60f7efd118757f74c

                                          SHA1

                                          e836dfaaa5e5818183f4432896fab3ecc0572ff7

                                          SHA256

                                          4f5a75cde4b8ca3f3d030e609adceb1d4d52c0a687d09743184677534e2f677f

                                          SHA512

                                          590facb8a2dbfc86b39efa0390289730a9fcce8d8435869590d21e5b4f3a0a79d30fc3db7c8873e3baf14517c148d93a3a74223a6961df4c17bd3ac30a35a2fc

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/448-192-0x0000000000020000-0x0000000000130000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1760-312-0x0000000001290000-0x00000000013A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2108-58-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2108-56-0x000000001B690000-0x000000001B972000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2128-372-0x00000000012A0000-0x00000000013B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2204-17-0x0000000000650000-0x000000000065C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2204-15-0x0000000000640000-0x000000000064C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2204-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2204-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2204-16-0x00000000002C0000-0x00000000002CC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2228-611-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2288-551-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2504-133-0x0000000001320000-0x0000000001430000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2780-252-0x0000000000AF0000-0x0000000000C00000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2788-491-0x0000000000420000-0x0000000000432000-memory.dmp

                                          Filesize

                                          72KB