Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:17

General

  • Target

    JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe

  • Size

    1.3MB

  • MD5

    e1d3b3250a258e30c5fcff5ede8c87c2

  • SHA1

    b5c0c519f6f740758adbfd4a3f994d8280515a5d

  • SHA256

    d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94

  • SHA512

    d7ed87a4e722863349f40a41d8728b541618fad80f2996c7693130e87f5a815ddf6e2aef6287e432c16b11b7fb1ca97a3f3739ce786fb53a2b2e12fd1ec61c0e

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1252
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rXxenmB2Ly.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2356
              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1976
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
                  7⤵
                    PID:380
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2004
                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1636
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
                          9⤵
                            PID:2912
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2964
                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2244
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
                                  11⤵
                                    PID:1832
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2536
                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1896
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
                                          13⤵
                                            PID:2336
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1780
                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1972
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
                                                  15⤵
                                                    PID:2716
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1656
                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2496
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
                                                          17⤵
                                                            PID:1916
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:760
                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1576
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
                                                                  19⤵
                                                                    PID:2148
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:3052
                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2704
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
                                                                          21⤵
                                                                            PID:884
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1180
                                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1504
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
                                                                                  23⤵
                                                                                    PID:1296
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2812
                                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1492
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
                                                                                          25⤵
                                                                                            PID:2320
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:2396
                                                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1092
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
                                                                                                  27⤵
                                                                                                    PID:1700
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      28⤵
                                                                                                        PID:1768
                                                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe
                                                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"
                                                                                                        28⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2384
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2152
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2652
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2884
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2704
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2648
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2552
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2988
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2848
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:852
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:796
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1240
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1988
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2360
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2440
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1484
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1928
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1736
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:776
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:108
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Links\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1556
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2756
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2768
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2976
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2140
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2428
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2120
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2400
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:448
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1636
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:672
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\taskhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1356
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1840
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1088
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2268
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2004
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:396
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2288
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1748
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:236
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2236
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2316
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2052

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  4bb69e200202de2c819c7bd146944b7a

                                                  SHA1

                                                  6ec67e8bac6634c42ada832d4caa34e9a823aba5

                                                  SHA256

                                                  43d917032dc98cb3fd680026d9362da1a047481c1b689ca541a70c2dab975c9a

                                                  SHA512

                                                  d327630935196c9fd167772d8de7caa721513aea4f2b551936254f1fa79b30b5738e73541871042bf6cada972d25a5ca4e8cf7306bf7c1bc90778d96e5a8d9b3

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  fe327841bb2e4127bc0c5b4f852a9b9b

                                                  SHA1

                                                  b253b5e24a3db89927750c4a3777ed72e853567f

                                                  SHA256

                                                  a478aa2a24b5e9748142aedcdf1e2932a9d3d3961f7d31f2777a870de00a2e44

                                                  SHA512

                                                  842fec40e65640b918fab2a0110f82b1fc87c06d1eb224e03cdf0ed97493f7418850b91bfaee42b72335e24b05dc7d3147052a2d6f37e5ea1273e7699424f54b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  dd6be5698275f61bb739e259f4cdee28

                                                  SHA1

                                                  0fb9adcac676ef1ae24fce0086d375cffb98e1ee

                                                  SHA256

                                                  bcf69b32bf71ebe773dfd955c4e63ebac80796e95bc340f2e563c33a7a8c3305

                                                  SHA512

                                                  7f50cac2f6b3355a9e5ffd290a159da253dab6214b2123ec71cb6f3a8c9a2dd05c2c5231deaf45faa1001b9054cb03e70f979aa37ad867921f99c7d51399c0a5

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  7a15e90e5e794576e2182b678e06a867

                                                  SHA1

                                                  20ee0c76f7e9c8571127b621026a254f4e4099d7

                                                  SHA256

                                                  2b54a4c54c27b3ff11b3be196f5308731f3b248996e0783d1e6946dc4ae24d94

                                                  SHA512

                                                  c0d41b55ed56f924eb41894ff2e5338711e74461321a88255cce0dafd7d2a68ff5db891cf90b94c3837301d0f7399e7cac6cb2976189c239557b6dcf4c902703

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  529c3561dd9ca1ecff77b4f2343ce310

                                                  SHA1

                                                  3e5add30ae19e7ccc2c86c203979f27e20f2100e

                                                  SHA256

                                                  4d665af6fafad2b67f8307b34dffbfbc6f1a91177a0da59e87acc116dc843d89

                                                  SHA512

                                                  ab33374bf1cce639d2aadbb4b6d509279571cf9c00372064421109fb8da0c0efc3e6af0139f57a9c27aa289bee6a72ab0fb4ea420e16e9f9c1f58f4d3d16be8a

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  bac2bb1ff264fa630eb931ba97bfb8e7

                                                  SHA1

                                                  9a23fc6cf7eb637959c0f30a09b2d9a5e459bb66

                                                  SHA256

                                                  f866066b6b8b321976240c1169fca11ac3f745af50a2123fec33e157e42570f3

                                                  SHA512

                                                  87c411b56543d250012774d6581ec975eadc24994d5c9eb6b07967ee3e79797177cc8bf5e4fbfc4aec2c268c7d9a36caeacf4775160fee553f21b69a707a9562

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  d71fa4c0ab68279cb37d600f8c82f5f3

                                                  SHA1

                                                  3fe151077fdf858889ed052eaf9c12e291214e6c

                                                  SHA256

                                                  8fc923a6f04305a46b0fb80fe558b144dffbb61d5258da63f62312a05f9daedc

                                                  SHA512

                                                  a7eafa17c4ab9bd68458a79a5ceb300574f346b7363209b724ae2505a7077dba619fe82244cef137f6ce086621a32a1252ef3123907b38e9f8a722396d4d0945

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  7bc913140b7213ac364af215d9ff3175

                                                  SHA1

                                                  deb11adf128e044283636e8dbeda15b197cf97fb

                                                  SHA256

                                                  f477c67666906e7cd061d6cc27e9e5ed216d4e3f66047f1cb46271494f540652

                                                  SHA512

                                                  e32375b325d7ea92356a0030d1c87eeb89d32acfdea56c7b81e259d12ec75713d20f9c80d4c30ac055dbc1ae4afe9e46e71a51795fa73a35fc8a7db10b28fb6c

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  c0eb9dd103c2ae113c66b699642f9dfe

                                                  SHA1

                                                  c064260951465981a103d1a8e24adf22eb758125

                                                  SHA256

                                                  23394d6c8ac8b58ff22fe45d48f4fa4d7bd6ee56182bb74eb597c42cc8395f18

                                                  SHA512

                                                  7a808b1ba8f2897a47055a2fdfb4c0219f12272df014f586e43098b1a9e34c08317095cd8b7bb977b95c538212b49acfc7da09fb1e899c279d849350e1844c9d

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  a37d577f8636eb8ccdb7c6605abe1704

                                                  SHA1

                                                  430c63f1ab52d3f8ea93094f77de596bddf85570

                                                  SHA256

                                                  b24bc560b139a1084a03e9c985700c50e0d15b69b689e83e5c91e0a1d67d8f1b

                                                  SHA512

                                                  18073360f73c3462bfb5b89025ee800f108ec31ef6f193de012f631f2a13928559c712cc6ea537ae03b1ed63a1bff641952db6599da8e6ba4c89e8b6123860f1

                                                • C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  82d326bd03e3d7acfdc926b188238f4a

                                                  SHA1

                                                  490f17512564c58486c2f7b70c0f746d0370b9aa

                                                  SHA256

                                                  427e07ce3f983983b15fa3f13315ea563fb4572a23cb3cb74886039b2252e765

                                                  SHA512

                                                  016b9a26ff077f268c341aba8d8a673f24be1f26284bc78ad109b0cdb1edf0f9a2dea381ae9cf01efb83df2fd9c3176b897ad17a021ee6e6597901316acae633

                                                • C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  3433be2bbf51a74a541d00e7dd1c0fa8

                                                  SHA1

                                                  6ddd5f2225f928c3dfa510fa309ef865dc3bded3

                                                  SHA256

                                                  df46592ee1e6ac052417fc25fcc8470eec04c73bad0176479ad1642d515ad8f1

                                                  SHA512

                                                  e1e5d461b02bbe09fcc7017d7d5da8b90f118ddc39195e65ea18c3ca5d6db8f6daa04a80ab71335d9d61cfa59ef046f5db3463f6d4fdee0daedb3eae250c9b6d

                                                • C:\Users\Admin\AppData\Local\Temp\Cab206E.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  91edfe7362309dba60aea903d4fb85f6

                                                  SHA1

                                                  a098c9eee23af854bb07e8c200aa34a81de46028

                                                  SHA256

                                                  1eafd41860f804127dbbd4b98859fe7db170aeaba58f5803165815be401fbe4a

                                                  SHA512

                                                  0294f7b425d88cbf7718f348cb0cd9412ecd6dd32db3447d9b2932f35f2d12714312b0de1b2884ae97c96380c680dfa79095f1cbc1561660aa1c7603b433fd42

                                                • C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  cdcf008387a6da327afea61c6a8785f6

                                                  SHA1

                                                  f349c6f7f58b5b7aa607c3528063cd56637b6fb5

                                                  SHA256

                                                  0f6aedae97c421b77204f55953af03348d7f8a804d092f25660490267193a0e1

                                                  SHA512

                                                  f0e3585ddbd1d82327cff6be2a15117e1ab36ec153398bbba7cfa7ce46b978441b709e62bdc9fc77792a354c93397570168ae187630f672e9a52f9bed7b7a90a

                                                • C:\Users\Admin\AppData\Local\Temp\Tar2090.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  d3d6da83fa8acad71eec6f5afde80bcc

                                                  SHA1

                                                  0dce14dd4e04b6befc54edf48684e130b80adfe3

                                                  SHA256

                                                  963eecd195c408ca74d24cfbe16951163dc9b5030d806c05a3467c64b581c6fa

                                                  SHA512

                                                  ad7253f074edfe9c13c9c4b5793a6d777ce2b739b1a75e91d37c073e93965cceb998a35f2f8e4fd5e972ff02cc6a4abeed70bd94befec273f867d1d579a1e9ac

                                                • C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  33a60225635d17a512f778bf9dedb588

                                                  SHA1

                                                  ed29b5f9551f93be96eb9f274eebf07c83927227

                                                  SHA256

                                                  ab16149434c944ccb567ee875f81501d31587bda8f232ac28336c51f937161b5

                                                  SHA512

                                                  096a73cbd26010d4e0ee2c2df38673274e6a8411082cf7702c52424939f429757a7ce195fa82e2411c7de29f4bf6907070ec9ca0aa3127ac03dd62c6b80b5626

                                                • C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  f3fe221d9ba85d9c5f15b7f0a3cfdd41

                                                  SHA1

                                                  40c77bd4d92a29b2d9e22b1bc1c218de3f9ea4b7

                                                  SHA256

                                                  a67f8cd96c679cc237ac9bcf6c741804b4622a7bd8e05d32a3f70a76d9917379

                                                  SHA512

                                                  ab261465641533246f13afafdb9f6942b2c135ab61706c32f4d5da1c0bcffe3702e0da1a99e93746f8e9ce7dca2f08efe6296c48af16f9ffbe00f4a7f1c75522

                                                • C:\Users\Admin\AppData\Local\Temp\rXxenmB2Ly.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  1364163902e6e55dfd613bb4ec2ec497

                                                  SHA1

                                                  4fbd8643c20afce324297428f576d74bedb48ce9

                                                  SHA256

                                                  1766be548df176437222bee593841145f161e1e5e22e09cc41cf26b6dcbb3443

                                                  SHA512

                                                  4171d7a8df8c26aa388bc336483809633f76ff85c541e5c785bb9a609c20e699731a28bfa3c25d4de35fe915031fc29e4e2826b58228b70976d638469b1a48e3

                                                • C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  1123f96f654b7dcb284e7d0fd1cc2747

                                                  SHA1

                                                  8584a4f01a4998f68f3134de4a8bc2e60e8bd460

                                                  SHA256

                                                  7e72735dec6454e05fee2806acb82ee05e6aef0c8356d62caae7af2bd7806e81

                                                  SHA512

                                                  1bf70f518011c59b136c619f27b9f21f2ec39fd45e9a593c8f5ca4361ff4f6c6df2e807645eea450167d63c822d1fadce683f16a12ce26d5c5112ee5a09e72b1

                                                • C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

                                                  Filesize

                                                  235B

                                                  MD5

                                                  de3d10ba71d009aca9950b805ad3a026

                                                  SHA1

                                                  c51dd3d966d40d059d223a7c91510f79fce03f34

                                                  SHA256

                                                  acc726d01780b2c159f240be6d0f1cc8e99267fd019b4265940279215934dc79

                                                  SHA512

                                                  fae34870843d92a2a19b89967cd67715b7937f155914a08e2ead00a6806428f40084fcf001d52401c466794e01a23c174dd8f8c0df4c7fd9fbfe17ca5e3348b5

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GILMNV5JQQVEZDGN0B7G.temp

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  ff11f46ce925b9227df765dfe651d0a3

                                                  SHA1

                                                  b0bb594fcf43eed689c2d37e60190cec84ca889e

                                                  SHA256

                                                  b7abe587dfe2db8576989efe668dad539a634d0053a0e1445e05c588a9cd9335

                                                  SHA512

                                                  ecfca99fe37b92f4c6f90678ae671f78ca787d4d90a8d7d2e5f4d36898ee8547e43dd1564509ebdd368154f5ac5a6cf46189856e4cb3d9901a534dbc01e87e4f

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • \providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • memory/872-89-0x000000001B720000-0x000000001BA02000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1092-721-0x00000000001F0000-0x0000000000300000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1492-661-0x0000000001010000-0x0000000001120000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1504-601-0x0000000000070000-0x0000000000180000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1576-481-0x0000000000050000-0x0000000000160000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1636-180-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1896-301-0x0000000001260000-0x0000000001370000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1972-360-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1972-361-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1976-120-0x0000000000F90000-0x00000000010A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1976-121-0x00000000004B0000-0x00000000004C2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2244-241-0x00000000004E0000-0x00000000004F2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2244-240-0x0000000000960000-0x0000000000A70000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2276-117-0x00000000021D0000-0x00000000021D8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2384-781-0x0000000000C10000-0x0000000000D20000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2496-421-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2704-541-0x0000000000390000-0x00000000004A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2712-17-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2712-16-0x00000000002C0000-0x00000000002CC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2712-15-0x0000000000260000-0x000000000026C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2712-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2712-13-0x0000000000110000-0x0000000000220000-memory.dmp

                                                  Filesize

                                                  1.1MB