Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:07

General

  • Target

    JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe

  • Size

    1.3MB

  • MD5

    978655e8b9ea7854362a7e86acb751fa

  • SHA1

    2a013b5deb208f90ff1eb6f964967d65e38f2c79

  • SHA256

    ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b

  • SHA512

    0b6cff9ba54e7dc6e5f26a30a0ff17d2e819d81d75249f4670eb0b5040f3900fd85b9530ebf352665edb3242bb24fb0e6ce4f47fcecb86b54ea654e7b4061e4c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat"
            5⤵
              PID:1096
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2912
                • C:\MSOCache\All Users\dllhost.exe
                  "C:\MSOCache\All Users\dllhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2228
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                    7⤵
                      PID:1240
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:2660
                        • C:\MSOCache\All Users\dllhost.exe
                          "C:\MSOCache\All Users\dllhost.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:328
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
                            9⤵
                              PID:996
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2004
                                • C:\MSOCache\All Users\dllhost.exe
                                  "C:\MSOCache\All Users\dllhost.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2052
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"
                                    11⤵
                                      PID:1016
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:1512
                                        • C:\MSOCache\All Users\dllhost.exe
                                          "C:\MSOCache\All Users\dllhost.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1236
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
                                            13⤵
                                              PID:2696
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:2532
                                                • C:\MSOCache\All Users\dllhost.exe
                                                  "C:\MSOCache\All Users\dllhost.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2624
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
                                                    15⤵
                                                      PID:2944
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:1292
                                                        • C:\MSOCache\All Users\dllhost.exe
                                                          "C:\MSOCache\All Users\dllhost.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1652
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
                                                            17⤵
                                                              PID:3016
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2872
                                                                • C:\MSOCache\All Users\dllhost.exe
                                                                  "C:\MSOCache\All Users\dllhost.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1744
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
                                                                    19⤵
                                                                      PID:1748
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:2836
                                                                        • C:\MSOCache\All Users\dllhost.exe
                                                                          "C:\MSOCache\All Users\dllhost.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2064
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
                                                                            21⤵
                                                                              PID:2252
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2816
                                                                                • C:\MSOCache\All Users\dllhost.exe
                                                                                  "C:\MSOCache\All Users\dllhost.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2388
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
                                                                                    23⤵
                                                                                      PID:1368
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:1612
                                                                                        • C:\MSOCache\All Users\dllhost.exe
                                                                                          "C:\MSOCache\All Users\dllhost.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2748
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
                                                                                            25⤵
                                                                                              PID:604
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                26⤵
                                                                                                  PID:2568
                                                                                                • C:\MSOCache\All Users\dllhost.exe
                                                                                                  "C:\MSOCache\All Users\dllhost.exe"
                                                                                                  26⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1656
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
                                                                                                    27⤵
                                                                                                      PID:2368
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        28⤵
                                                                                                          PID:1428
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2932
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2236
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2572
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2792
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2544
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2600
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3020
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1740
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2008
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2432
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1588
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1040
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2440
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1872
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1540
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1256
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:780
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1368
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:892
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1704
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1636
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3008
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2884
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2148
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2868
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1720
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1656
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1976
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1664
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:696
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1804
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1428
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1884
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1236
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1692
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2436
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:960
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1552
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1424
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1116
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2140
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3044
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2376
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2188
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1672
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2184
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:888
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3000
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2108
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1492
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1496
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1800
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2176
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2284

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    05c2038729e29a9d25052218bcc35406

                                                    SHA1

                                                    67df81f6759569bacce4827204159816229e5488

                                                    SHA256

                                                    bfd3559bb3cfa911741420be9250aca301d991fc0dc8825813718d24b7f39d9e

                                                    SHA512

                                                    687b615065323cd68f45398b6578510c48d3ee79ef07b5410288c6d21a376ff70407d7652fbadb6f0424e1af3f69b7497913f01e380f59192d8baddb6e959cbb

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    95f6fb483c2795bb54335b6c6695907d

                                                    SHA1

                                                    3863d1c57184e20b1a15dee37f4cc39ccdbfa6b7

                                                    SHA256

                                                    9e86d19e6a2be64b65275b704cf4b6de6b5103223828c75b3afd85c55a5e7812

                                                    SHA512

                                                    df68e851a27f2ad6f3781451638906e0b629cbb13cc7ae11de0dae468de25900bea34514abdc2ed74228ef2f461ad17c7b7cf7045d004385ab5407de88a77ae1

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    a0fb6800ecf0345ba020e7a4c4c72749

                                                    SHA1

                                                    c63a8a90e52c2d4419bdfb85e388540ca52d303e

                                                    SHA256

                                                    1306bdad0add015aa2c9a304f35c9d54b2602a132661c43770fbf5686924d6ec

                                                    SHA512

                                                    44463d46d161ab6d46ff95596d09ef8abf2e1e4713c9700f1b269a10683dad4b481f186cadc4154c0dcd7644f829103e7b8927aa060577de8d90fe711d12e755

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    46c5d5be3946689434d34288c5e80020

                                                    SHA1

                                                    cdf7765fd2c65aafcae20ef19605bd531cd03001

                                                    SHA256

                                                    582e034f9fffd4cc23a646ecb30f89c7d1c868fbf5a1c7a74924a3544e66f8a0

                                                    SHA512

                                                    bf0e686f1c3d89a4fa1fee61d8d1c1272118c09cf70229837343cf260679640dda717286cf230627f800cd58e76fa77bfcc61bfcb77cfccea35f23ccf8c4fdd3

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    7be106d23c30b2da02feb1e4d94b4c53

                                                    SHA1

                                                    f076ad12ac7ab6191673a3ce50d946e7e379e297

                                                    SHA256

                                                    b289a8b5ae78872acc69a5c54dbcf05f98013ded0f4d5eee1068632a95bf0c15

                                                    SHA512

                                                    fb95bb6a45835d90d91ea027c292c6c34e8f587af0d5ad1ee9d1d8193d3775a39989ed748c23e0a04a20705a8030e7bc8cf83b26e98aeb911145b2668f011b7d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    7a53faa7d9f5f3d0cab8814484afcf7c

                                                    SHA1

                                                    acdae32b6060532764328cd0bad770069381c8e1

                                                    SHA256

                                                    4e5d9bc1270121c0f26229c7487b1e6d9e11661baa3fc152ef6b4992ad06aa7c

                                                    SHA512

                                                    ff650ea45db9ac4a9af102b62c7834956f9654ba61e334412d67bb6d0875d8736dae26d2015b699999b2e4c92a74f7eca637a70547f3ee7b5ceb13f27674dc4e

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    4511d1de8c6e67576adf97b009f6d065

                                                    SHA1

                                                    6fe313c2503609df742244fbb7ef548f25c2f794

                                                    SHA256

                                                    6472b377b17818912161da0a988bfa2706ad4ffd79c06ed169838dff05b4896b

                                                    SHA512

                                                    c7f865e28a108681bdae91060c2dbd228211914517857302c81b0a69bfedab2987640ae87f8f6231a20827c28dbae8408eae9da9166bba71f58936f06daf237a

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    b92b9fbe478c6f25c51805fdf897ee38

                                                    SHA1

                                                    3aa1e557e2adc44fb2fe552a748b890b9a6dedb8

                                                    SHA256

                                                    13a37741d20a9f292f95d372bc874c05da35d68546a4a9c86b4e71b5e8888fc1

                                                    SHA512

                                                    7b35ca2b9d0f68ec26acc22c2ff18bae376cd887d3929d40cab43decd09c8f9e280c5c5296c76b1653adc6961a7ea18536cedb7f3d03dc26698f89b47ec1e29a

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    d93a74eef29e869fafbff175b1938c11

                                                    SHA1

                                                    eab5d1bfa83c484d48dac66e8bb432df5cabfb7a

                                                    SHA256

                                                    2916b953a9a3d0ef85dd3139d5f9ebfca5277eef63f926692768e3aeac896dac

                                                    SHA512

                                                    5cd020a38fffccc61488044562ebbc26951efcea71f4f69d8dcc0e919f5be01baf45c83134bcd6eb108e69bc8347098986aba9bb1cad9e4d9f0ad6dd2022822e

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    68bcd693be3ee11478eb6a1e1c8f693e

                                                    SHA1

                                                    a670d3e27f33e89f5b1701e388e0dece5de4938e

                                                    SHA256

                                                    d1844a2af1f908790e05762a2bf99dc53c745900e6b5f0c315a0215e9af6055b

                                                    SHA512

                                                    4cd61233e8635da481436fee8c5b8b89f4e8a17fb293db59e0b0e06428875add61943262e6a641ccdae390ccb659dbdf27ab5d3e5d1f8cf8902bf82acbe513d9

                                                  • C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    bdbe4275d20295818ad3a2dd0ef353c8

                                                    SHA1

                                                    1dde07811188b5b5da7407ec3e820b89ca1df5ee

                                                    SHA256

                                                    1051f048530ba62689e7bdee85392f9756ea49825e9c87650490b35632dd5e75

                                                    SHA512

                                                    6259b73c836841989e2f497107bbde658068a0029c4b050f8c9cd2cb9fb1d97f233a98347f7f0c99a48ee1cc77a56822680d7c216ac038956ee64fb00655d938

                                                  • C:\Users\Admin\AppData\Local\Temp\Cab2D78.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    392c310a182f393aafaf36fd3fefb772

                                                    SHA1

                                                    bd399226b2b21b9b342280bc55fa340113d7136c

                                                    SHA256

                                                    b54100cb6c815bf414362455160ca3a808c9aa9ea3ca19b763ae4ebd3a576bf5

                                                    SHA512

                                                    6a35ac2100ac97873cd75d6be76b09e70a43b363fd0b91b51ab3d472dee6cd0b233fdc49e633891440d14628cd409a54117beb7f43e6059adee33ccb35739ed2

                                                  • C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    6f746b844b3b37e3900ab75b63fca00b

                                                    SHA1

                                                    ba8147b9a617af4db8488fcc60fefb9398fea5cc

                                                    SHA256

                                                    a3b96afd533be06e4e059d096dd6261ce7e474410bb58b810f05d9ee0f6c9c53

                                                    SHA512

                                                    f06f578c23150061e7a26fde52d070982867c7ea8d10c051611a5a9872a4546bc7b329176cefc833b2b6e8b272664e75f06e6bd88fddf96d07062dc0b8b91785

                                                  • C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    c8dc90fe8692eb9cb2f3c981f3e19a01

                                                    SHA1

                                                    907fec1163b3d02abc16ec4a82273c1b0ad0016f

                                                    SHA256

                                                    e0ea01ffa81e8258f949f3c2c2d0f0ea4a81c8e4ef012353178f403725523636

                                                    SHA512

                                                    0d95164e8ff55cf0b7c68e1a7c05472836f0af3ab7f6ff05e5e2c2ef6675a18a22cd519acd7f63c786d01669dd5ba34f6d31ffd2703e15d0258db2e6eb892c7a

                                                  • C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    445672a14d8acfb6926803f490580e2d

                                                    SHA1

                                                    f1e76d778fbd9b8784ef5e712458ba9f42006c5a

                                                    SHA256

                                                    89984305242ff00a60612e8d478750fb6dd2bd8a15866bda48b315718d5e0815

                                                    SHA512

                                                    b0e918e36a3cc46c221f83399f03f2d09157c796d15998afae325719056f26d9257c19a26c280a87f1a189cef70c2be950a76186c1dbbef1658bd5e5c9968f60

                                                  • C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    569b0fa6ee93d5396f4fbf88e3193767

                                                    SHA1

                                                    24c28b1dd609dc0580c87e874bd3c8e969226e35

                                                    SHA256

                                                    caf3204c48439aca99797daa605050826a39e07dee881e5caed4d33e07cd34a3

                                                    SHA512

                                                    7eafbddda95835173fb70ba8f34a7c1abd25b971948c384d6cb91982cb1c5e1ee427f6dd80dfb60b1f00f2c0a9b5f1529afce82dc04cbe3e8b4715d2ae7d28af

                                                  • C:\Users\Admin\AppData\Local\Temp\Tar2D8B.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    9105c62578497d2c107074c831f39966

                                                    SHA1

                                                    5e9f2d0ca15f7de51a4fb33c87763a5a39b00000

                                                    SHA256

                                                    cc55c4f4592d173903726ee622377ce5ed81d61d0f163f4ea077ac823d5982e2

                                                    SHA512

                                                    b7ffe977c2e94ea689cb215c1ecfb391f67efcb637b8e818ff455f0c7ad8cb79db02b85ae5501bcc626e77d03a5d990c3b50dd9ace6e39ac8b520091448611f9

                                                  • C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    69877d72551af3a73293f83f739edb2a

                                                    SHA1

                                                    0c98ba648dd204391779f5526499ad6aa57ebc49

                                                    SHA256

                                                    e9ab1d40021280acf40898db98395cc7b8c0928578c7141c4f2268c098df34e2

                                                    SHA512

                                                    0d4c9adde491122bc19a58f522f7497648105becee6f457cf44e86124e3b65fafa506788e5eaab670222f2dec31b3b4e1c4ab0ee4f5fd95e72cbddfd4c7bdb92

                                                  • C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    4e73d9303677d40192ec11098dfb59da

                                                    SHA1

                                                    04925320aaffe005bab556683914b6096ca8967f

                                                    SHA256

                                                    6303e501fda193489b52ade1b2a559d4fbb6acb775658a6211c9b91bf0271035

                                                    SHA512

                                                    e627be47c11d505372637a0a34b3097bbe7304f17dce11191afb00316c3cd2fdee0e5767e58945780f23232d0754d71b3bdc540060fcc56c07c78e99ad99c71f

                                                  • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    0639fc178ff4b329d484949ca47caba8

                                                    SHA1

                                                    adfb69159a1391f4e5683d72ad2a77639f919b47

                                                    SHA256

                                                    1141e434a711b0f54421e98bc18260a9877202f326628f145e8cfa3c0b70c7af

                                                    SHA512

                                                    01c8d00528c26e9362d011cc82ebd4697895810c7cd382bb0d3b8ae1350e9e956d985dab0556ea1535574a196fa5abcb5d85721dd4693cba7b5e875192b25b7d

                                                  • C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    4904da82a1e0223df7f193105dd4116f

                                                    SHA1

                                                    e74c5db1def156f27ce34ad8d52caf4c34854cdb

                                                    SHA256

                                                    f843538f3e79954758bc49a3f44cbe993e9711c689a46976d5c1271933222ffe

                                                    SHA512

                                                    3ac3b7950da20ae332c55b20b666e7c449dc55652f3ab123621fbd94625aa49b803755dae5c4942167f3f6bce386cb48645c8aae8e13c8cd03050c07dbb47170

                                                  • C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

                                                    Filesize

                                                    198B

                                                    MD5

                                                    b6bd2c710f77c71d896da6adbfeb10ef

                                                    SHA1

                                                    a597d837e933e17c743e02283a07dc89be694a12

                                                    SHA256

                                                    4f9149dd2cb51c8af268cc9a0bf862705342085f69cd687eef815cc0183ced41

                                                    SHA512

                                                    aeee31bd9f965fea07f1f8862c71cbfb905377381a47e35aa93589ecd90797f6cca21aab7508574468b279a3477138dfd77e471e41e3054d58ad1ebd61a7a980

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    4b1be4aff8d6b302ba95fa623fd5d3b8

                                                    SHA1

                                                    4b2b680d868533afbb29394e6c86dde4f12ef583

                                                    SHA256

                                                    777ca6e0cce8bf02e9d544c2a9672a08c591206a5d9bfe36d46c1c06c59db470

                                                    SHA512

                                                    9338f47d25316608e7d809da0b235622d3441a871edb81d8c075c0596ac57456e62697be7173612b637d13f728b8fd7e6d89515e700433575febcd92085855d2

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • memory/1236-336-0x0000000000C50000-0x0000000000D60000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1656-755-0x0000000000650000-0x0000000000662000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1656-754-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1744-516-0x0000000001180000-0x0000000001290000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2052-276-0x0000000000070000-0x0000000000180000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2228-158-0x0000000000460000-0x0000000000472000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2228-157-0x0000000000F30000-0x0000000001040000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2356-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2356-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2356-15-0x0000000000470000-0x000000000047C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2356-14-0x0000000000450000-0x0000000000462000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2356-13-0x0000000000D00000-0x0000000000E10000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2624-397-0x0000000000440000-0x0000000000452000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2624-396-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2664-63-0x000000001B840000-0x000000001BB22000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/2664-64-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2748-694-0x0000000000240000-0x0000000000350000-memory.dmp

                                                    Filesize

                                                    1.1MB