Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:00

General

  • Target

    JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe

  • Size

    1.3MB

  • MD5

    2138db9c69014b6f16e27559f7c303d0

  • SHA1

    d716531badf6ed4189ad0759b2bcbb52c2061948

  • SHA256

    b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b

  • SHA512

    7556400609383526a3a70ff557405e67dd743d91a5b091eba3fb986e00ea13515ec62fca5cb514a9b64af9174bb79f9b20455075faa38aac1e92d111c3527040

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links for United States\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5IvKsOZkKm.bat"
            5⤵
              PID:1732
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2004
                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2948
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
                    7⤵
                      PID:1716
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:640
                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2012
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
                            9⤵
                              PID:1456
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2040
                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2456
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
                                    11⤵
                                      PID:1772
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2668
                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1652
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
                                            13⤵
                                              PID:1580
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:2868
                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1236
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
                                                    15⤵
                                                      PID:2136
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2724
                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2608
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
                                                            17⤵
                                                              PID:2728
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2952
                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:868
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
                                                                    19⤵
                                                                      PID:2656
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:1044
                                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2408
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
                                                                            21⤵
                                                                              PID:2592
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2168
                                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1404
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
                                                                                    23⤵
                                                                                      PID:2244
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:972
                                                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe
                                                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2984
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3028
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2244
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1928
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1712
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:852
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:556
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2208
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2992
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2792
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\Links for United States\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links for United States\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links for United States\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2112
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2668
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1552
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2392
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2524
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2492
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1852
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1596

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            293aa6d1f23f6f638c8514e0ceb68642

                                            SHA1

                                            d36eb1c882b42191fc555965c329ba9c515f3962

                                            SHA256

                                            d77dc7a23ca70a433e22738060a9135acc1d4b2d57b6f104c2e9afdea9861ae5

                                            SHA512

                                            3490e405b5fcc1a461ad848bf4400972733e03557f3365503bd3cccf4e1313a7c88c2b84782f447a392a4ae61d49a4fee4494ffb3a6e7a979e798403dfcebad6

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            75474c11cd1116caf7837f05e78c2259

                                            SHA1

                                            d30976c0b132f9aebe0dee0a055bcdf25bf3558e

                                            SHA256

                                            1dca09f1a9af6133461674a247b8258c7c9ef6725d11cd327590df62ec694ac9

                                            SHA512

                                            b13c26759ae2386b30a4c8ef7be2febc37120c070d75e30eb2ca4b348728e575a6a13b31e0760a57c61baadeaae4b63949d456d9747671962ddea3ff29578415

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            40c22aacc0d2354dc57c6dde3a2c4eb7

                                            SHA1

                                            8cb3e62faafd277cfd338ed634079dad78c03033

                                            SHA256

                                            d8717b6d987677f264e63a8f3bbefafccbd205c5964836864a7a4aaa65ca14dd

                                            SHA512

                                            91d8de4d38ef6487ea28392c9c1f040fa353668dfdb103d9b5ab8984b11f13b3f5a2686f522432c7dca4beeb02a2a6f0ec28f0d2360c7c28c2d2fe8ca84bd7b2

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            8c4278e5b35c5dfce55de8e98cf7da65

                                            SHA1

                                            920ca576b936d3a4db1a9d3d04304c99fd3b6a50

                                            SHA256

                                            588d1238e303ed2b33db890951ce2196be694905a8889a51678bc8584193e745

                                            SHA512

                                            f5a2ff0a4e8c7e076c298eb977b1eaef3247820440972e2f505ae6b3151f0ca18ffb048af3e49234ac998cc50fdd33a0c98327f5cfa66c75f10f9ceec4778b3e

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7177e045d26d3179111cbe8ebf9dd39e

                                            SHA1

                                            da4f9b1dee0ffb34a573a35d4545bf04f180ba29

                                            SHA256

                                            8438e2755e2ee6ee72398c67c0b106f18d3206f5f5a1f3cf57083a64dd311c8d

                                            SHA512

                                            1fb8a73bb7dcd45ec7cef93552d23d5b655376ca61697b85c33d04c78f1228a9f0578fe953b55c7ff9bb36a40a25b258958a09994c7bb8ca239b830dcb37f6b6

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            3640048136a67eee08d4a3088700bb3e

                                            SHA1

                                            0bbb29c1ec0d9fc0b1e9d62024d66ad72ef6f11f

                                            SHA256

                                            dc39b3b30e134b1e8e53d998196d8ea97f73dbc3683a04a514863482575822fa

                                            SHA512

                                            1a2d9c2034200024789a56bf7e572ac9cb4c6dad344d779ad2be44ecc11840d6bad2d35a35b2d67abec2612923f93800644cb35df207ffff0df0a78f06f1cc79

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            ee20e09c6311c5a5c8859a151b357e2d

                                            SHA1

                                            5f3a8393af0bfc598083d65919e8ba9870d67387

                                            SHA256

                                            d3d4223d08fc357b58bc68f25e035b4018bf929764679f7f4fe55a316ae00f99

                                            SHA512

                                            0fd73bd06a54579faa106f260e4895fc286413b94f7f31ced0e61160c6f2d344385b4509593d2d3746038a8c5af0b6cdfac61b8854b17290223311ee685f40f7

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            1efa9887dd9916c2e26edf0e4a065174

                                            SHA1

                                            bda0a015b2ae5dc7935c0b7d8a36771d90b73000

                                            SHA256

                                            4119548c5e54796c031e1769d43b20022dbe769671be99dee0264f558e1d67d0

                                            SHA512

                                            0a77327b059de3aa9ee6163002c29d59165b1041e096091fe5525b038b3652caa2d9bdc1bc9185b40e2857319b4e607e97cdff903e01a1487bb860d518919c32

                                          • C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

                                            Filesize

                                            239B

                                            MD5

                                            ff60eca041e1f809bc5f5674ed7d7240

                                            SHA1

                                            1b5dd47de3ac2f0ff1dfb7a5f5ecf9f3a2d55ce4

                                            SHA256

                                            e4637d06cae5b77b1575ca159259246c6db91c155fc2bf0cfd2e4f874470a77b

                                            SHA512

                                            1224e7c45f7dbd765626d4d10ddbe3d3c80f1c00bb2ae32032c80eb3ed40eed3636bfe7dafc8f111d541266e813fbc8ec11f711b0ac02259666069c727813d0b

                                          • C:\Users\Admin\AppData\Local\Temp\5IvKsOZkKm.bat

                                            Filesize

                                            239B

                                            MD5

                                            e03818f1c0bd9431e0819a070fc792ac

                                            SHA1

                                            cd8c99a2c6fbce32c0b8d5202f6f849e9e39bd20

                                            SHA256

                                            bb4085b65cb7521b1d37652fccb44b7658e152185ca5a6ff6fa27b784b8faf14

                                            SHA512

                                            9450b2794b3bfdfc4df4b179b6b418ba5de5c5383d5c6ebd4a72af0f777d708a779b6f5e3b04fc0fed58fe05f7925b25e09fb9187c4decbeaa0f5bcefdb61717

                                          • C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

                                            Filesize

                                            239B

                                            MD5

                                            dc4d2d0f50f5b4ff65911dde3cd688e0

                                            SHA1

                                            d66308198b97d11c0563a092f01dc2c9d4caf99b

                                            SHA256

                                            adafc8c2cc8c91888f30e0ee1fcd47bfaa61d5a4452c88a59bef440700678fb9

                                            SHA512

                                            e2966995d61659ac4139ab91ce1da1197cf9852a3fe02e7963f9071c8560b498a20167a10a7a73c6eecc0eb7b75b1b357476f218fb0dac8f38573413c4f2275f

                                          • C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

                                            Filesize

                                            239B

                                            MD5

                                            80d4a5a52ea749c7bc170971a65de203

                                            SHA1

                                            a4b6afa5235f6b4a152c7d3ded78278f581aea53

                                            SHA256

                                            78c9f77e28b2665bcd52c9202a61550b407d5c64f4412aa36c9b6b6b972d85ac

                                            SHA512

                                            433ee9484234c38550680353dede6e000c981d68c0e3d748c0d45589741aa6089032c66fd69274ac41536bfa36ae66d936aba7ae8f67d9b0c9ae1afa748d9263

                                          • C:\Users\Admin\AppData\Local\Temp\Cab2A5D.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

                                            Filesize

                                            239B

                                            MD5

                                            8e50776f35b052af019a1bcf2f188df8

                                            SHA1

                                            4dbaa3c5fe76c86a3f4b305b6c87fd8b92045549

                                            SHA256

                                            0fe2aa4e28355342dd2e2b5e1d8b77fbc493af787b0c313acd33a6991a431df6

                                            SHA512

                                            33d8ca52fde61c68a6ae6271bec4160eda0e8419e4cf889443c244a01916e45e8a57c0c946a3ef9f218d741ff05c9721508a18cb419c07b1cd27fd8333172ae9

                                          • C:\Users\Admin\AppData\Local\Temp\Tar2A7F.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

                                            Filesize

                                            239B

                                            MD5

                                            8511296031286c2291cdc594a54c40ae

                                            SHA1

                                            f3f804146778c27dab14d57aed66ed20e58a3a35

                                            SHA256

                                            682fdf88ff174d513fe1a3c2d0601a9615d654adf89eb6e06cd72decebc64d4b

                                            SHA512

                                            55fb5d816e8a0dc612c22f3603067cda79022eac90ea402d32742a6b93ea66bd81548ea009f8268b670959128cda16df009eb9ad74d08fdaef1b5bfb6f9c0bf1

                                          • C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

                                            Filesize

                                            239B

                                            MD5

                                            b0b4177f59f88fe0cea4cbc116f89315

                                            SHA1

                                            8f8ed4fb7a9ac3d55f0659c10bb42df913a3e031

                                            SHA256

                                            8abcc2e110886a948c89b2c9b954ae4896f174ea783280c926ec7c703f6fad29

                                            SHA512

                                            b17e7a64558190d144eb471ec817799ca2a97ed2e202eb9dbbd9c125f23a1c34379c23fd2cb65fd2a3cc9244a116db044947336e0b9dcc6b957613656422cd7f

                                          • C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

                                            Filesize

                                            239B

                                            MD5

                                            bea24eeb1d13801f5436ce3dbb860366

                                            SHA1

                                            b8711e0b283ed5389a741f2f578444ffed042a07

                                            SHA256

                                            7f49c0a335d60fda01362c3b819907779231e9b229ff15258d22d12d00e690f0

                                            SHA512

                                            3358841ecb6682dcb4d4f64cbf168349f6a0cfe8b524619e336c9d9fa749f6bc3307301c388d2a4f8b6ad33a49dd863ed84a15640b0d96cbef3855a498531899

                                          • C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

                                            Filesize

                                            239B

                                            MD5

                                            bd8ad7fc1d270e95096d820a228a08a1

                                            SHA1

                                            1664134d6271156b094c4beee1e4bb2889b207fc

                                            SHA256

                                            49fea6506f7b53b10eb1f64cb7ffa7b19ccc9433d1e8c00998b40c1970452cdd

                                            SHA512

                                            9410d6e058d044aa014cb646b8759b7f6e877f3d31a85b8b1e640ec57ef9a2bb422515f0cef9f248577cb89c1c028484772242556c766578ba72bbea937fbc9d

                                          • C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

                                            Filesize

                                            239B

                                            MD5

                                            b80be0b3adeffc45c5455afebb7982ad

                                            SHA1

                                            cb87db7d10cc90df6168993485f7cf9dee2c997f

                                            SHA256

                                            77ef34a7675898417c5dcb57d99ea3f4ed076cd70d15f25e5ef4a118ec7251a6

                                            SHA512

                                            f4ddf1c5d03164fc3e5d146f54e2edbd74d09b7be9db006795c49a970afb7fe5cbbdaefc4e82b7f76d410e740d934d426ed65e6c6805b60ccd19581b52dc87e3

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            a639c8adf90f29b2947265ce1858d9a4

                                            SHA1

                                            335818e7f95bcdfcbb1855f4e2fa46fc2849bc2a

                                            SHA256

                                            ff673b9d1fedcfe57e9f86ebc46128d4fc373e00d08f9e85e8cc4ac443ab9f49

                                            SHA512

                                            a6295ed223820dd88f83e2eab6c337540c0b47a78ff726a1a29228640ddf709a79bb8d0dceb94951c85dc0b86c35c1a3963b67b27ee2687d8979bc54fe237afa

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/1236-370-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1236-371-0x0000000000240000-0x0000000000252000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1404-612-0x0000000000150000-0x0000000000162000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1404-611-0x0000000000160000-0x0000000000270000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2012-191-0x0000000000140000-0x0000000000250000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2132-672-0x0000000000970000-0x0000000000A80000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2132-673-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2152-58-0x000000001B680000-0x000000001B962000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2152-59-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2408-551-0x0000000000170000-0x0000000000280000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2456-251-0x0000000000B10000-0x0000000000C20000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2608-432-0x0000000000440000-0x0000000000452000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2608-431-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2780-16-0x0000000000750000-0x000000000075C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2780-15-0x0000000000740000-0x000000000074C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2780-17-0x0000000000870000-0x000000000087C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2780-13-0x0000000000310000-0x0000000000420000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2780-14-0x0000000000730000-0x0000000000742000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2948-132-0x0000000000B20000-0x0000000000C30000-memory.dmp

                                            Filesize

                                            1.1MB