Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:14

General

  • Target

    JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe

  • Size

    1.3MB

  • MD5

    77a3ee4f03b385ed4de69f367c07c3b6

  • SHA1

    a6bd818f8a68d6ea0acf6d270a3366fc85f925e1

  • SHA256

    9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51

  • SHA512

    d9fdb616926305cc510ab54e4ee4b6de0cae87b2e1610e59b5546c891f25fd151299da26d7ee75f937e0f4d8ad20148d7f3b85caca8d1940ed625a9ad44a627d

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1rrT6S9XIJ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1244
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:596
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2724
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2760
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2820
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2964
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2984
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1576
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2200
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2980
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2328
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:584
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2768
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2196
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2916
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2192
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2776
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1148
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RF07RVHSBH.bat"
                  7⤵
                    PID:2416
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2440
                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2720
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
                          9⤵
                            PID:1720
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1352
                              • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2356
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"
                                  11⤵
                                    PID:2468
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2220
                                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2752
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
                                          13⤵
                                            PID:624
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1560
                                              • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                                "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2168
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
                                                  15⤵
                                                    PID:1932
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2852
                                                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                                        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2872
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
                                                          17⤵
                                                            PID:1256
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2348
                                                              • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                                                "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2312
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
                                                                  19⤵
                                                                    PID:1488
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2592
                                                                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                                                        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1796
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
                                                                          21⤵
                                                                            PID:2780
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:2472
                                                                              • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                                                                "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2856
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"
                                                                                  23⤵
                                                                                    PID:1784
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2288
                                                                                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe
                                                                                        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3052
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2188
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2372
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:684
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2384
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2464
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1068
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1624
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2300
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1968
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2008
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1548
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2472
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3012
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1496
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1608
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2656
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2380
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2840
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1760
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2160
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2588
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1320
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1692

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1610b97d3ab4a7

                                          Filesize

                                          605B

                                          MD5

                                          cc9d704c0c3c092e474f0c3ef52c768d

                                          SHA1

                                          d73c2b7f4e8efe5ec6dbc58b110eacb35c93920d

                                          SHA256

                                          c116c9f105664ef936fbd5d19874672db39f1542a714be21c89eb8d9287666e5

                                          SHA512

                                          8e0ceca4c455f51beea218c3acac9eb521ba3f4af63157d342804adfc5715b0c42bfde69ef4258c1625f4d63e3e94e29b67c35bcb4f0cadafb4161b7e6c35311

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          371e06d4c6d93b6c13fe68fecfefc1d3

                                          SHA1

                                          c59df3ff3fbf1eec3dbe96fd429c1a7b344ff8a4

                                          SHA256

                                          a4f6c2539cd7cdb851c8ff7d1fe1006e129687f4562fe2b51f0982f22ddd600b

                                          SHA512

                                          87c63d86a91326de33d1cd5cbb28cb112e107645e9e806ac802966f62566e9f76d6ff858c05c231281d574fb902e8bbdc0bf2706cd8dd66832b5a44e0998dd23

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          7392ade6e85a68d3df7899b97a7761ff

                                          SHA1

                                          d7894523250e923244649ab63f85082c3a2028b1

                                          SHA256

                                          8ab2ad504062ba83f182e8a9e279a9bed45e350b98865ca18eb600e42c9215ba

                                          SHA512

                                          03e7f0e97306841f55e1dbea17546dbaa9a74bf31f14248fc4d0976985514822e37ff20eb432ceae7c8cb14640d37ef57f9777bf743349314d7b33fc376e2fde

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          04c11a3c2158f940f6adedd28a43e7f6

                                          SHA1

                                          df9ba04574befb62652ba734d2f54fe6a8e86e1d

                                          SHA256

                                          296ad3dabb0921ad909b01974deb25cca12f1910ee8052baac10a71e893dd3f7

                                          SHA512

                                          544b6ab32c810d4e33f08682d56debd907b5e107c897b95f9ab54103853e85544c525bd8767f1b51a5c10b2e5f3c33f74f46fbe78e16f3e17a3e7b80ac770edf

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e165825938bd48a3b6399229ab0a8a66

                                          SHA1

                                          35e44379560acd7fba45a2819f2ea1119fb7bcd8

                                          SHA256

                                          a59c81680cf290f0f49574c2bae8975d811fe242169767cfccf03db78936dc89

                                          SHA512

                                          a044132138ef11149c97b2d099e9c1dbc217af846c0f7785383ae6f69b945ba477ba1bcc1afdc5f34d6433748e640e5745683b8761d524b3af8c5533326c34ee

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          70ec68f5752fc3928e2ce80ef063eb9b

                                          SHA1

                                          09aea04e0fb235a8b3aaa8a4790ba6a8205328b3

                                          SHA256

                                          bdd55a8f62583722282aafa39a07d6d57f6f46a765548e33e093a9b676195a1a

                                          SHA512

                                          8863a23beb656cadd4c0618a4c64863814277346402371d0defadb95a8897aa6aec0710844f34bd121474cd2aaca7e9ceae3b8847102d161446b1acd2f2eb108

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6bcfd744aeb6f37016682ab7bc31e7b3

                                          SHA1

                                          084ca96f8d651c46a900926101174a05e3fd29e6

                                          SHA256

                                          8564dabed73ef22c5434b9c38232a91a6f3e172335a037de8c853db0c7435349

                                          SHA512

                                          19c1c3f90e0eab16490f21a3f5b6a4d82b8601a2df31409d4fba8d9821d0fca9eb7bc4112bcc2edf341fbe706b5893ed8c221e7910afa99b36d1e3dd778a5ea6

                                        • C:\Users\Admin\AppData\Local\Temp\1rrT6S9XIJ.bat

                                          Filesize

                                          199B

                                          MD5

                                          6cc11e63639976c8ba8dd5d61e3254e0

                                          SHA1

                                          17548508a6d58f713c087df4e4972706e70b292a

                                          SHA256

                                          026d5b626eda6b896922be5737ee6e1e036fb5f69a8e8e2e520b335a75c672c1

                                          SHA512

                                          2023e91469486bb9cd7b32c36a9a1e6d95e11bd7c868ef41b667690b40f7b0b2c247c5097d02373f98c018174bdfe9c4c3607b99506cd589822fc6c5ad7dcf61

                                        • C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

                                          Filesize

                                          230B

                                          MD5

                                          c99377d35445a7989814ae1eea8dd853

                                          SHA1

                                          77ffc5d72ef07e70366bb5e417a69510ddea1286

                                          SHA256

                                          34889b3c6f8ae6580e6c18f7ce0cda2d38871bb3648b39d6ebcedcf2ed497542

                                          SHA512

                                          0a3bea9dd2af3751435e858ed78650b3b8d841923026c6ced01b247559a80a4948596b64be2b0b7d21789e04a886ad416c5e80db534b1f9655add762f45b0f72

                                        • C:\Users\Admin\AppData\Local\Temp\Cab8097.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat

                                          Filesize

                                          230B

                                          MD5

                                          ecc18fc7af10140d11c5eaa5c917193b

                                          SHA1

                                          9233bc1fce280da01e000835f4f2169d736fb4fa

                                          SHA256

                                          eb2800d76cde02a3c695a289f45bd2e0bd8292a2c1649e2c08f47d653988d690

                                          SHA512

                                          ea361a7459055554599f29d5e5464d79e9bfa8678cfda8d581481cd5112f8132095bbba6211fac7663a31c125694567c625e187847c3cfb4b782bf33bbc1063f

                                        • C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

                                          Filesize

                                          230B

                                          MD5

                                          811f9b3931ac892b9fb059f8c05120d0

                                          SHA1

                                          ea1d1f9bc86257e6fbefb1da39a33179683c8432

                                          SHA256

                                          71d86af6eed407fa16c691a6024f7550f07b2525105c53222f5f36e3eaab1bc3

                                          SHA512

                                          c18689553ce7a229378fc14918d66d52db506c511b61b585dd62d57ece7b4a27890457816d750f97f29a2834224def83d2c4562a633df0503d09e2ccfa74204c

                                        • C:\Users\Admin\AppData\Local\Temp\RF07RVHSBH.bat

                                          Filesize

                                          230B

                                          MD5

                                          db55dfd3286801e51c51d0051bc3d822

                                          SHA1

                                          d9cd8e67e8504d1a00e9287734b2dff105dbe1ab

                                          SHA256

                                          655c3ee85cef178448ecc55596e4ca8c91c9574573225f755a3d56eef325134f

                                          SHA512

                                          580a115ee8adc1605be19af2bd08e3a9373d32d6e951f82a669d73ff5ef6b323b1b0bbc8cbeb30be3e8f352f091a981f35ebdb5dfdcf5fe7d81a5e100b159933

                                        • C:\Users\Admin\AppData\Local\Temp\Tar80AA.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

                                          Filesize

                                          230B

                                          MD5

                                          4e411650b4de62f8236da31cdc3190b9

                                          SHA1

                                          6625993ffaca3dd13bd42efde02b9693ace043c3

                                          SHA256

                                          922e0cc7bd7d9ded8bb31d2d014aedf6075611831605057e523228dca836e5e3

                                          SHA512

                                          76c1405bac487c4f1ceddead3d49f589151486393a733dd17b73c0e7cd0ec888cbeb2a4a84e3ee2691166a2193341c14ec5b802368783c243771747ac9c6404e

                                        • C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

                                          Filesize

                                          230B

                                          MD5

                                          ea0fdc0d1880d6b97b8aa52a44c08414

                                          SHA1

                                          e8e76210eebb05a783fd251ad555e6b3f723b5f7

                                          SHA256

                                          4e4c5db1c9e687f428a0bf47ec638eb6e21cbcefb7e4a33a8c2aed05fcab6d32

                                          SHA512

                                          5627e1975416acbe01ef4cb6fec182bdca0cb828b460bf381ff4490c842aa59ed068f7f122a09ab9b28a185e8dcf8c201dc26307fc37706ea7090dd53ead2a59

                                        • C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

                                          Filesize

                                          230B

                                          MD5

                                          689b68783690777fc787f62995d04fa8

                                          SHA1

                                          4e3526b2076e176fa530c139a9d075ba045b20ed

                                          SHA256

                                          bc33e85e82f3d2d5302eeb61a6ffed409a0e0ff2f38f1a575ca5e629e397af8e

                                          SHA512

                                          10177806e3d823d54d14d55367de803dd59c846d56ab49a82bb71b11f7ed3bb2899605a79cc47c35fa0a09efdc2d9b8eda5f8d8c851d2ababb2a2a8731129cde

                                        • C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat

                                          Filesize

                                          230B

                                          MD5

                                          14a58cc70177b827119cbb5b60d81402

                                          SHA1

                                          8975c095e9f5b7fa72af3c9ac713a59f14f2392b

                                          SHA256

                                          6497757a3f52862fe07847155cc85df135d8f362a33f0895cd264b2be84507b9

                                          SHA512

                                          42c6bbf6e118d9d33a97db239b76d2131cbaaf73c192ff7523538cf9800bfd187deed87b034f1359caab12eed6982e374e467b7efa4774277549cc9ce349e2ab

                                        • C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

                                          Filesize

                                          230B

                                          MD5

                                          0c4001f72f2614239b42c3dfef2dceba

                                          SHA1

                                          a6adf610d7e2c00ce506b22225cb0850b5ba37d0

                                          SHA256

                                          7609ee4ac8b5504234e760aee2c605a0a022c39bc97cfdcbbcd75aef5745f55b

                                          SHA512

                                          df014c71fa37d5f0509ecfa5dba734572f7f41e22eae15cde881b97b968da15f5e17e45d586bea0b794634d1c28de00b4d73c0b0c8d52aff46782929cbfcd435

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          cdd58e148b04fcf5988b4cb01485c136

                                          SHA1

                                          7f7dcce86ab457daa4f8f717e023a82c42289f28

                                          SHA256

                                          cb3370cfb678c82ad061e67058f89743144144e796296b67f361feb39e80d868

                                          SHA512

                                          c4ed06f29e7ddfd97193bb4f0d9cf0818cc9aa9287c65e2f2f6e53184604f4d405cd5f9c4eb5c32881aa44fd8c53acb4a99170f33fc89aa8045de1d4e64e0257

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/596-44-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1268-611-0x0000000000C50000-0x0000000000D60000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1796-523-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1796-522-0x0000000000980000-0x0000000000A90000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2168-343-0x0000000000280000-0x0000000000292000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2192-42-0x0000000002290000-0x0000000002298000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2200-100-0x000000001B730000-0x000000001BA12000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2200-102-0x0000000001F30000-0x0000000001F38000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2312-462-0x0000000000180000-0x0000000000290000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2356-224-0x0000000001250000-0x0000000001360000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2376-37-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2580-14-0x0000000000560000-0x0000000000572000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2580-15-0x0000000000570000-0x000000000057C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2580-13-0x0000000000030000-0x0000000000140000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2580-16-0x0000000000580000-0x000000000058C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2580-17-0x0000000000590000-0x000000000059C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2720-165-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2856-552-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                          Filesize

                                          1.1MB