Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:05

General

  • Target

    JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe

  • Size

    1.3MB

  • MD5

    936f2270ec6291f8f953c5c5ea5003e7

  • SHA1

    88f59a2e41bdc801b41c5bef8e8af94beb08e98c

  • SHA256

    e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717

  • SHA512

    c299f46c5b4b81d8bbcb0f5b9aea31e2a301c4922d57a3c36ea754e5f2c16d9e0e51541cecbee69f4bddafbb243026cbfa21d204c86944188159f979355ca9dc

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\ja-JP\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\PLA\Reports\ja-JP\csrss.exe
            "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
              6⤵
                PID:2308
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1128
                  • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                    "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2772
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
                      8⤵
                        PID:1656
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2024
                          • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                            "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1764
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
                              10⤵
                                PID:2016
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:656
                                  • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                    "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:980
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
                                      12⤵
                                        PID:1172
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2204
                                          • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                            "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1276
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
                                              14⤵
                                                PID:2544
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2576
                                                  • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                                    "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2300
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
                                                      16⤵
                                                        PID:1072
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1856
                                                          • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                                            "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1724
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
                                                              18⤵
                                                                PID:2868
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:1792
                                                                  • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                                                    "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1172
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
                                                                      20⤵
                                                                        PID:1628
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:1732
                                                                          • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                                                            "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:480
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
                                                                              22⤵
                                                                                PID:2428
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2784
                                                                                  • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                                                                    "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:384
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
                                                                                      24⤵
                                                                                        PID:2656
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:1148
                                                                                          • C:\Windows\PLA\Reports\ja-JP\csrss.exe
                                                                                            "C:\Windows\PLA\Reports\ja-JP\csrss.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2656
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2024
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3016
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2176
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1712
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\ja-JP\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\ja-JP\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\ja-JP\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:556
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1524
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1432
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2392
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1684

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            4fe830a552d841f0c190c6977f461cbe

                                            SHA1

                                            df23c52fe22246dc351ddbee525ab2e771bc4f85

                                            SHA256

                                            ed3ac33b1e1a443fb0dd7bc2cfb6a0d9686b33ee45deed1db236018a0b54d2fb

                                            SHA512

                                            2980dfae7490f472c73005418350196845dbbea84e65baebcfdab5be00553766c784bdaf56a8678454103a58ae897d58f88b5f710669bb79185dd65b0e56d967

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            33827fc7d4d0bc29922c190f8c4813d6

                                            SHA1

                                            c147018fde9e9e5215fc6b878ddd195758e2ffb6

                                            SHA256

                                            6322529e85f9ea56dd64e46794629654d78200e51eb9e304d24515f7b5f7c100

                                            SHA512

                                            b2e3407a1fd6e44784277285740b0dce4c6c5e33e12ebe227034f61e2cc00350f38a480484a9846fabc8908b57285dd896362c4b5c969b4c1a8b863b258df9fb

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            540fa3eac6b8b7b1d6410571b758b142

                                            SHA1

                                            2df6f1f95298d314ba422c1d164b8808da48e33e

                                            SHA256

                                            439246531769e3e388a431c31e40cd803931c6b9080f12b4337e4a9012348f18

                                            SHA512

                                            c79615cd4fce1520e3be43edddce578f033072a67baf6a81538358e033f195ff291cdb3b8647d8019cfc8732240dcb44e3dfd71f7a7fd4e0455c128f63d82c65

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            2537847e85b581a15f22b77825f7f68d

                                            SHA1

                                            3903d76a5dd7d5afcf9246ec07eb8bd7d2cce5f0

                                            SHA256

                                            5cb8a966328f6b7d34de60e8719a04c3c87f2a81972da57c2cc47e3b26a05402

                                            SHA512

                                            96c98e772dc1241f65d3c642dc17014dadf8b81a38ad1bbe4b7f7e9afad3b50a38c9c7d0c1290dd12898d62e5b5e6ac9efe5b2ce18ba44bd2e383fadfeb75778

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            c92392dd4b0d227874cac32326a82a42

                                            SHA1

                                            8a129710a73dc837b34c35e3a37db65e4a9c357a

                                            SHA256

                                            2cac4ea19244e74df3b66cea27a15fc73e0445555e7f23735314f66cece7c842

                                            SHA512

                                            50e1712224b11063725c0b64a78d644d2369df9398bdd6eda5c5c4ca8ee1f075eaa8858c3f233c5c712a94753507622ce2c5fc300ebcb406a859c94a1ddf7147

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e28ece6a1f0f8ff7f8a23423de2b2b9e

                                            SHA1

                                            d2e843c2eabcddfb7c7791e5cd4a97816d5e5e0e

                                            SHA256

                                            c04ad85311e7ec6b73c6300e42be9269c36ad0b674d1cd800a8366f112c2ba78

                                            SHA512

                                            294d3b5f2006640e7ec79a1bc8981b81ecce58e4a5990260579ae9c0a68b0331811cbab4c7c7118e035ec634a8243d3c6fe877364e6679903d8e71ce6f3bd5e2

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            242df990de681407c20530e9233886a0

                                            SHA1

                                            a2053f5fb7d6d7d086233822a5e4c7d49ecdd3ca

                                            SHA256

                                            aa85a1fa14df8f63e86530bec0d281694bcefceb6536a651630dbcd3037fce12

                                            SHA512

                                            8e68ea28ac60119b2973cb11753443d28b1a93866be4cea7d61374488dc73ec3d54cfcc49d7d01437bb780a2dd0f9352ee5136a15100daf1b696f98c3bb0244f

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            de125c3243265a29deda534674b2b030

                                            SHA1

                                            a337b6331be2af0c5a2ecd0c2d04deef0dec46e6

                                            SHA256

                                            f69e7fa76fdc56bea82fba9434aa1c2092a48bd97548efe320a447519e49e355

                                            SHA512

                                            3d4393c4b18dc3a1d356d311fcb70c378c688a9e9486b5f1c822f5a4b96bc0d379b5b216019711540d88a54f44a121fa579198725c8305856284bff02fa16b65

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            0ca30f6308abf7396c1adc6e52d6c0a3

                                            SHA1

                                            df252ce17f4f8ad7e29880b86bb6843e9fe448c0

                                            SHA256

                                            8bb0ba5e2968418809c50ced183f86f639fe224b12119c8e414181ec992ee53f

                                            SHA512

                                            ed0f46c1cefb21d942b4895ed13d15e75ac66c54f72c42823b861ea67815acc196e811f3ae6498b13cd67dc010cc942932733feb05872fb6c56041305136096b

                                          • C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

                                            Filesize

                                            203B

                                            MD5

                                            43aa374b1389f64c19c93878afc813df

                                            SHA1

                                            635b3400a24b9c0ceeea1639b313c5d0d8417756

                                            SHA256

                                            c77505424a8ba11bc3bb68016d5867ff2faadc4588fec90292b759b5369ebf85

                                            SHA512

                                            593d01713f2849d629438886fe7ef5864e11aed7af44d344ab836b3a0061bc77310eecef371acdb78c22f67bddda41793501104cd32e7cd200a00cdd97fc5631

                                          • C:\Users\Admin\AppData\Local\Temp\CabFA48.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\TarFAA9.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

                                            Filesize

                                            203B

                                            MD5

                                            ca85d7c993ab24412bbda98c33e257a6

                                            SHA1

                                            8383d6f7977c53f2664671800b0f7009c6753075

                                            SHA256

                                            56886045444c73581214e11c694d3ed33141c55d5f9f106b234e2bf2ba43fab0

                                            SHA512

                                            8bc7244940ba365fd249dc7e90fac886080727eb37c69c8d49a9620c0cce40c3e0c802c02a40695ca75f7860710e804e020d9d0a049e74d55dc1302082f070a1

                                          • C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

                                            Filesize

                                            203B

                                            MD5

                                            da464b939c5b4ab53f6d6e4010b6f81c

                                            SHA1

                                            8769ca326d0242182167e7509497e7ad9e018a60

                                            SHA256

                                            b1be2cd09c0c9c2d0a7915c2a25512f7f60ffd9b225efa38958f46fda448c606

                                            SHA512

                                            739020af4f153635cab52240ba0af67e4dfb2939182e258d319bded08312e5fb40927c28cf01b06b636404546a403d5e30e98af8422d108cdbcd7edfda886232

                                          • C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

                                            Filesize

                                            203B

                                            MD5

                                            957cbc30e60bee4a269d619b1ff43cd1

                                            SHA1

                                            5e979b60897cfad1533912bbba37f13abd94bab7

                                            SHA256

                                            e8a2537e5438f3a75a7a41756963254e7649bea195c0c3038423461ddc3ee7ce

                                            SHA512

                                            ed2b524a6f62bb4698c0260c228c5d8bb56de4c945acf1afdb898572dece46e1465833ff503b8d91aee67c3859851ed50cd5c31f40a0344c129fde4f62a81a1c

                                          • C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

                                            Filesize

                                            203B

                                            MD5

                                            3fddd002eb987e1fa84414b7f52b8b24

                                            SHA1

                                            e7d8d5369c9e41c6afc8e89160bb6cc144708c96

                                            SHA256

                                            8cf5b60033bc6227c4294e4f28d4e74a1b3362ae5af7459bfc106e2f84251b11

                                            SHA512

                                            22755156aabb58fcdcdde1bf054c873c70b66dcd1c7ed89e61b3ef873e2aafe5aa2ddc18da0b22ee10119967118b18f0d3428168c925439df5b16f2a1ea9ec50

                                          • C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

                                            Filesize

                                            203B

                                            MD5

                                            5c8a8187e687c3a4fb5fdcbaca0ca52d

                                            SHA1

                                            018998e17af078a61a297d2a0dbd87a3ce3b1a42

                                            SHA256

                                            19aa7fb8177588bc87604487c841880a987e7b5fa3d69436755438cdc7e5ccc6

                                            SHA512

                                            c980546bd729047c459492ca6bc2e0193a1a92282bfaffb59066df6fa1cab308698bb3e7b28a71855028af5895fc8f735a2ad71c8d09f3b305323ca740791d74

                                          • C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

                                            Filesize

                                            203B

                                            MD5

                                            60bd3673a30c6f4cf0419515630903bd

                                            SHA1

                                            27ab88692d8fbe200505aa07e85d44ada3f504d7

                                            SHA256

                                            8d109c79095f1df911b3c0d8f4e5a8c77a8cbc58a74324c5952b4235cb8c909e

                                            SHA512

                                            71a3cd07a757456b2a6d23dc60a28276609063f9e7b550064844dc8b035924027545c7c31114472f301c174bec26240acc262bd33a155f832e67d62ed2e22d66

                                          • C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

                                            Filesize

                                            203B

                                            MD5

                                            47e992d0e150790e627f8e84c57c9de7

                                            SHA1

                                            e81b4612270aa6328e5ae50f8cc6e9f82298e6aa

                                            SHA256

                                            25148984e3baa8e275e23b9e1c2706b67e9ef9bc90b405b3aca7141cf4d6834f

                                            SHA512

                                            014c67f005702f5f5dc326495abf7730316e92e9258057ae666d21c9468f709e2ae51ec774399f5e32fdcff9be9eb37ec16b1941582e6f9c166f4783300335d9

                                          • C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

                                            Filesize

                                            203B

                                            MD5

                                            80e5c6b451efeda5c607b7119d424828

                                            SHA1

                                            b4bc1184e1ffd81745c78356a505b14be50d2687

                                            SHA256

                                            c818911ba443bbc6e5158ee05309f576418e7ade167a71ebbea1ea4ebdb65a05

                                            SHA512

                                            fdc14b677bc6646d7a49499d962e5bc01ba3836ac19a8863fabbd6e5b701ba6a11e0e599c8cb24aeb6c4479d23b95f081ac233846d1f6dc583844cacf7070430

                                          • C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

                                            Filesize

                                            203B

                                            MD5

                                            acce966c328f54f40a521f8b7780f0e5

                                            SHA1

                                            4f7ac8730bf5c4670968a7eb20f4f87e3966191e

                                            SHA256

                                            e6367b2b1a7394c132a705699caf1423f4f29ebd20abfb60e69764bb15c26040

                                            SHA512

                                            cf99033841f088416f84214d502c6645d9cc18b152e9d26f0ae5fabbfb654306931ca49109cd663a7a78dbf5747a58808874682872c4373d9070245419dfcf5a

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            22611e1827a0b5eb4f77e7aac9d1f2ca

                                            SHA1

                                            cb6698ade5e5b1e61cc10e182a387bcdaa4e98e8

                                            SHA256

                                            5ada2df28413f0492a07ea85338fd221998d6051c28c72e4989b539a5b38650b

                                            SHA512

                                            2215cc0e6f72f790e83dca7c61c2ec9c2ee81b35e1ef7804ea577c0bdafa8d81c06b1ec06e4d17b1da7457c2ec25830e4c79bc3ad931d7c3663484190f5225a3

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/480-605-0x00000000012E0000-0x00000000013F0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/884-64-0x0000000002390000-0x0000000002398000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/884-59-0x000000001B790000-0x000000001BA72000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/980-309-0x0000000000460000-0x0000000000472000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1764-249-0x0000000001200000-0x0000000001310000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2732-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2732-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2732-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2732-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2732-13-0x0000000000E10000-0x0000000000F20000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2772-189-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3036-74-0x0000000000290000-0x00000000003A0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3036-105-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                            Filesize

                                            72KB