Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:12

General

  • Target

    JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe

  • Size

    1.3MB

  • MD5

    ea810a3185582eb2ecc3fb665b1ec6f7

  • SHA1

    6aa04bba789cd526cd08d2598e4083149dff0830

  • SHA256

    049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389

  • SHA512

    9e3babf4345d4c46675927d128126c51f4d90e8431128a2391c5fe377560618add6c3972c49d2c9bb05202e1679165dfc4f3111ed290ab3911d9b4a117bf084f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:792
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
              6⤵
                PID:2140
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1664
                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1300
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"
                      8⤵
                        PID:2240
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2764
                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2256
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
                              10⤵
                                PID:2768
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:1708
                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2680
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
                                      12⤵
                                        PID:1736
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:1664
                                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3064
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
                                              14⤵
                                                PID:2044
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:596
                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3060
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
                                                      16⤵
                                                        PID:2488
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2748
                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:800
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
                                                              18⤵
                                                                PID:2912
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:576
                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:944
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
                                                                      20⤵
                                                                        PID:1744
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:1908
                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1720
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
                                                                              22⤵
                                                                                PID:1004
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2544
                                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1432
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
                                                                                      24⤵
                                                                                        PID:352
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2364
                                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe
                                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1192
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
                                                                                              26⤵
                                                                                                PID:2084
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:2012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:536
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:332
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:800
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2128
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2520
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:280
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2904
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1740
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2852
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2892
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1724
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1720
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2184
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3064
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:400
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1872
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1860
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1588
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2984
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:924
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2196
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2440
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2456
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2232
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1288
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1416
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1196
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1112
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:768
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2992
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1884
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1228
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:976
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1892
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:648
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2140
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2300
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2032
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2368
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1156
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2508
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2344
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2272

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ba11f549b5fffdd949124970dd3860fb

                                                SHA1

                                                f9f99bb6e310a139377b588eed7db6ca5c10ad45

                                                SHA256

                                                7e96131eca7acd1e1de91b8a57b88d8865dfc904262358ff6408bfd9f81ec459

                                                SHA512

                                                e751c063e39e117690002f1fdf3f0d185dcc81281e62b84ce8b1deccfceb2fc4ae9a4e8fa43625436d3cc84dd19d054bd95a2e24c0e8159dc886c3c4b1b4def6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                208b68ccce3782703f7b6acf1e80a916

                                                SHA1

                                                4dd853b17818ffe28e567b0a9e8bf4c1e42782c5

                                                SHA256

                                                1408346386c369f07663a47014c619b39f26735cee0187547d7e3ce0054de099

                                                SHA512

                                                d008b41cf03e6ba304a0c09ce46592c547cae92824a3d4b081c4db23624fc295fe3843855cde6432b4e118b4ec93dae9f6db2a74b34a9f5b4cf1313e03331478

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                7915dc9992b367a2455615789fbf5b8f

                                                SHA1

                                                e41aedfd5900e9cddd8a5f33122664ca86af3123

                                                SHA256

                                                4010964460e6eba93235bb7dd69a318fc521067ae52b857a20e7bf28c8d8ca5e

                                                SHA512

                                                9d91a1c49c3e5afca4b112813b60e7c7e72cf31827294b51b43d7dc90cd0b6cbc88eadb306722e3b4a1d22bb34113dd4d76531bbc01af476e89173e3d331a50c

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                22e3d78a7662fdc746df502458850f84

                                                SHA1

                                                1cdf74c31ff2826fad6c838c4be24ed76c2aa08f

                                                SHA256

                                                6955117b01d4bb2d35ec737e8da6666506122d4120c80788eda46966356ef29a

                                                SHA512

                                                ba19bfcc1989574522404b1cc3d1e088b194bd70d7dce4b19f1d381a4ab4d3c305ecc534a537419b03732501501926bd44f1d93e6deffba492e7e3159e94d337

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                2506b714f6c5b0ee07408d3048d7a5ac

                                                SHA1

                                                b58f6730747638bc104be5baf9ac082d462f381c

                                                SHA256

                                                ef4c662df6813a350753072f63adc0ea005fa4f50174e9fd21a23ddc1e327b9f

                                                SHA512

                                                f29b5967b5229d2f537e3ec768f1420be21b50de5c930c56bf920411d0e5072fdbfcb0842c04e5f3bc4cc6aab66d0a6d560d03b70161f8cf7cd8f5ab23fc55a2

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                b82798404b95c4de30b92ce4feacf9c7

                                                SHA1

                                                b4b21dacf94ed8fb4c02bf25aa55da12cb456815

                                                SHA256

                                                c21d845d2c1da22a45f3bd3f5a9de2cf669e47c2e73c47e97cb060efd49d4446

                                                SHA512

                                                2f21fd0fff9ae1857a603be436b63cb9769c5a384a733e6304674cd7a89827da6758cea8dfbe8592ca3493f2804521e264733881647e77ae0798302a49f242c5

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                acdf8f3244bdae0aadaf0bf5cd1f3b6e

                                                SHA1

                                                6fc16135836348e820c4aca5d9ba1944f6c1f411

                                                SHA256

                                                17c7c1527007b5e9fc106b34d9c11bc29c4379c66a3757e677a1b6d4aab7765e

                                                SHA512

                                                643dcf86a789d2dcfd9a942c57a296f6ca1aa93cd147b674cb967601d74d1b670a6c37fb72023016640fc60162c85ff9950592d997dac168b73f152d1a7251d1

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                926b8cbd7953decf221c228efc504e91

                                                SHA1

                                                8514cc8acc3f2be33ed961daabb91b60d9571847

                                                SHA256

                                                e96e136e7112753a053259cd7ca6e4a8ca637e9b83021e3309dc82eb3600642e

                                                SHA512

                                                6a1e9510ac83dfbeef1ae0587a4e50987200686b4be5a01a07b62c9387b81269c31a8e1245993d67bd6719a3ae0a213ecea9af7f1b4d6600d9d3dad2fdfb8f73

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                64915a6999ac9c5a274ad63976112142

                                                SHA1

                                                f6e79318b3ddc1377d1304490a7a1726eac2f459

                                                SHA256

                                                5de42cac563b44b0c9b83c926536d13d154926e30e1d994fd23c2c72fe533575

                                                SHA512

                                                8b3ef4b7ec07d5bab2665c07344e154700da1c0d98939c37a44ede929e37de79a7f650998b1a9f4f0532134bec077a444b48688c170d56624fd6b0959af716dc

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                70d00f306d30b3001d5c154da8f647ed

                                                SHA1

                                                455932f52c9e50907662f4e6c6054ec4cc2436d9

                                                SHA256

                                                a9fa4862b1e043e9563b4ed506b1b2f8867ea85b2173e7312aea143a32d26aa8

                                                SHA512

                                                b37329c6c433f931c2fa37277ead96ee9806917f4542c850be537111d5c43d8ced8a1c6801d4e9ceaa4ee1d053238140193924036a9c6fe298d055c62c9626af

                                              • C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

                                                Filesize

                                                248B

                                                MD5

                                                2cb690a31fe21f8d01cd845339500df7

                                                SHA1

                                                5fd8889b2dd243eab7df36b9c048a30a47bf5115

                                                SHA256

                                                23a657d6ab0c9783bf47eab07ad17c56a9727e91cf0deac0e4fb630da2b4de01

                                                SHA512

                                                e31fa48726dca48685e77f0dfe643a1820e96051cdbc72bf2c699c1770bddac09d326f9c9905c74a09de7a2485a77fea07d877c2635672f757f8813ce10dfc57

                                              • C:\Users\Admin\AppData\Local\Temp\Cab86AF.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

                                                Filesize

                                                248B

                                                MD5

                                                c801ba1a790a2b0434809628f7a6cc2f

                                                SHA1

                                                358dc9e583769840324237515d4e74b4f94df136

                                                SHA256

                                                88ad0a98174894e57563dcf55b0b917bff0db785acf25bddee180ff39cd41ec9

                                                SHA512

                                                08000ddf24723aa9528310990f2dde1c5068b31756f7386f0649d0b8d72c43c244c15535d940ed37dcfd903b8a5f5e141a0313c8c49ebdb72622f505dd7ccb16

                                              • C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

                                                Filesize

                                                248B

                                                MD5

                                                566f4794e197b51b3be446c45374ed15

                                                SHA1

                                                e75c46215c92e9dc26e9cf9ae45f2b15d14720a5

                                                SHA256

                                                063acb6a529cadb5a68ea2260e71e943a9d4089f6687c20d220f5627b52ff7c1

                                                SHA512

                                                9885ecb0913b492c34035c3e95e6b44bdc70ba808385a5b99a8c7bff24e206e95033809ce26ee6f786914e5ad5e46501e0046f08903a10f2626e5f95b53db5a6

                                              • C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

                                                Filesize

                                                248B

                                                MD5

                                                f5efafbc6467c140fb9aa4626492a034

                                                SHA1

                                                158bc55f47960de8b58a5d052a70e2da0a0cb4c2

                                                SHA256

                                                bf3011c8ac174f3f99d064f90791fdeaa7d37062a2e5afb4ebf8e9f0fe79ed0c

                                                SHA512

                                                0fa54a34732aef4430dd407b8925152a287a2ccefe5e9e8c960b645c08a0bf9d8d0c6ea8b16d746d3f42e9f2deb816906f98a24a7dccc97f804d3ca351ea093f

                                              • C:\Users\Admin\AppData\Local\Temp\Tar86E1.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

                                                Filesize

                                                248B

                                                MD5

                                                64bb050cfa30359c842c33a2cfb5cf98

                                                SHA1

                                                153025b3963e7a8f892d7371562df0f8cfe36e62

                                                SHA256

                                                f034bc753ac68b86c89368671373004c42eac49a7a8ded2046b2becdba247386

                                                SHA512

                                                a5753290347e6ebbfcf98a94dd4aff88079a5ca11d22eee77f3377943796255cab02ba1fda914f3c7e5e548677c3beb131aab2415e21a471849f7909f3f4aaa1

                                              • C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat

                                                Filesize

                                                248B

                                                MD5

                                                d0d84f136636ede806bdbbda58d0ce62

                                                SHA1

                                                9eab8dc946de6ec7dc50b46fa52acf5e03c6a604

                                                SHA256

                                                f1673ae1282b8f60c7faeeb091a2b27683083d4153e723f9addad29dfb248c88

                                                SHA512

                                                37bcdb7c6ba75f4dfb0047b71b90ebfb92f0704cba937fc6a58a5651005e67c9f715b58644428e0425e3cb2921b8fee11bd5141539f3dbe5f934311b2c88685b

                                              • C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

                                                Filesize

                                                248B

                                                MD5

                                                7bcb6fe743279bbe694cacf467ee9f45

                                                SHA1

                                                38dd4fb9d662c5fcf64bcb7d0029ea6caa32a2db

                                                SHA256

                                                9817896c26019f800e0499341511bed01d63aef9f7469046427ce13a48f96ade

                                                SHA512

                                                b321cfcafea143399af1561e7d44292152445289c991b2accc4c8b32b5f68d5fd597c229a1d826c8f29c55a3460105feaa792680530a9e03717592214c6613b8

                                              • C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

                                                Filesize

                                                248B

                                                MD5

                                                bd29829b041d9ee8400d2f7bbb64fe95

                                                SHA1

                                                bbde6e6d14aa995125689f9af7cb5324f91eaf87

                                                SHA256

                                                47a1027df851f8d967152c90e6f78156d06cf246ccaeaeec6d4111da17b7bc3f

                                                SHA512

                                                07902864bd19e17533066376a85db241137c2bf46a226e102c70a88af988bcef7f3c1b437ae4a36b8d18d309d020ef010bf164f4d311e0796269dbda4fa5d76d

                                              • C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

                                                Filesize

                                                248B

                                                MD5

                                                49173b0e2ff21c55bcefcc06aaa1eaf0

                                                SHA1

                                                815522754e2d06de1cc764a1bea332689c954b9a

                                                SHA256

                                                32c001731587369f2cf9659439a11b5dd0fe8ac99f614599f2ba7e8ec7ed488d

                                                SHA512

                                                fd5e0adc69ef7da43419d4b158a9e9842d9167559a1c3854ebf119d1a8fb19a596b66cfa786e49b7ee891d63849b95db29de93e3f0d3e4ec51270f69271b21f6

                                              • C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

                                                Filesize

                                                248B

                                                MD5

                                                47b9f695b2cdd614d6b1f8fea4cce270

                                                SHA1

                                                4820f2da81143919914b47faa69a5aee95826d6f

                                                SHA256

                                                3722fadda067af811e395ddb389e42ed27ce64d38d9d49cb5cf5c4964dcf47f7

                                                SHA512

                                                38467597c77b11c93e9d7b63786bf738e1d62dd6e875aaa76eb0ae9ff815ac9d9c3a7f11df406b5fd37a0441a8b4c99e1d9a7a3f13b95a61de6da366a1d15673

                                              • C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

                                                Filesize

                                                248B

                                                MD5

                                                d542f274907613d963d4dd640a525ba3

                                                SHA1

                                                64af8fff6e390d37931cc8eb879b6f2ff7fbdcbd

                                                SHA256

                                                dbd3ccde32fdd496d7f7b1e7476122f4fd11d3f889cb131f3feda1a792332f07

                                                SHA512

                                                0b6a0c89f2df736db3b09b24a6c7a189257bfaa6a519c0c3a22b5fe8e1e254376c70665bced8ee3ba179508fed7529a70bb6fc4e65a5327372d5bbbe80f8871c

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                26211c6876f6d31e015e3ac79f8092e2

                                                SHA1

                                                7af63169a85d80a68e6705d1a3bc758217546b17

                                                SHA256

                                                a1e7003df5f3f1c58ed3be42091d7c748280b5737e47fff1956eb491d5e6df14

                                                SHA512

                                                a3c22ccb5b3af6ac17996ad2f987c4f64cba92b9cd35226407b040bbc1dfdca7d6b6b9d9c55841475008cd96bdc396721968f43ffa5709fe4e1a1fb2278ea5b4

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • \providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • memory/792-138-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/792-56-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/800-497-0x00000000012C0000-0x00000000013D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/944-557-0x0000000000050000-0x0000000000160000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/944-558-0x0000000000360000-0x0000000000372000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1192-739-0x0000000000340000-0x0000000000352000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1192-738-0x0000000000350000-0x0000000000460000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1300-197-0x0000000000AF0000-0x0000000000C00000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1432-678-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1708-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1708-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1708-17-0x0000000000500000-0x000000000050C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1708-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1708-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1720-618-0x0000000001030000-0x0000000001140000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2256-257-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2680-317-0x0000000000E60000-0x0000000000F70000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2940-97-0x0000000002230000-0x0000000002238000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2940-92-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/3060-437-0x00000000008E0000-0x00000000009F0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/3064-377-0x00000000003E0000-0x00000000004F0000-memory.dmp

                                                Filesize

                                                1.1MB