Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:39

General

  • Target

    JaffaCakes118_60d87e9a399274f9700352ed2700a181cca9a25cfad1b47e87dd384bd8c1b13d.exe

  • Size

    1.3MB

  • MD5

    3b42aebf194a6ae49c9be941794f86fe

  • SHA1

    bfeb0b7b755f1edc2f22adc38d3967e6be6a8833

  • SHA256

    60d87e9a399274f9700352ed2700a181cca9a25cfad1b47e87dd384bd8c1b13d

  • SHA512

    830c2be73ce87c0b6bf1d4db40cb81c4b4e97457dcdfd2b1b435990c9b89773e9434d41d60a289699756ffe78883b697f4fddb327efab16bff523eed95679013

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60d87e9a399274f9700352ed2700a181cca9a25cfad1b47e87dd384bd8c1b13d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60d87e9a399274f9700352ed2700a181cca9a25cfad1b47e87dd384bd8c1b13d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\providercommon\conhost.exe
            "C:\providercommon\conhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2332
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2004
                • C:\providercommon\conhost.exe
                  "C:\providercommon\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1756
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
                    8⤵
                      PID:2568
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2448
                        • C:\providercommon\conhost.exe
                          "C:\providercommon\conhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2692
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
                            10⤵
                              PID:2728
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2016
                                • C:\providercommon\conhost.exe
                                  "C:\providercommon\conhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2152
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
                                    12⤵
                                      PID:1092
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:588
                                        • C:\providercommon\conhost.exe
                                          "C:\providercommon\conhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2264
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
                                            14⤵
                                              PID:2976
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1484
                                                • C:\providercommon\conhost.exe
                                                  "C:\providercommon\conhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1756
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
                                                    16⤵
                                                      PID:2640
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2344
                                                        • C:\providercommon\conhost.exe
                                                          "C:\providercommon\conhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2888
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
                                                            18⤵
                                                              PID:2132
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2008
                                                                • C:\providercommon\conhost.exe
                                                                  "C:\providercommon\conhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:352
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
                                                                    20⤵
                                                                      PID:680
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:888
                                                                        • C:\providercommon\conhost.exe
                                                                          "C:\providercommon\conhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2004
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
                                                                            22⤵
                                                                              PID:2128
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:304
                                                                                • C:\providercommon\conhost.exe
                                                                                  "C:\providercommon\conhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2292
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
                                                                                    24⤵
                                                                                      PID:1576
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2716
                                                                                        • C:\providercommon\conhost.exe
                                                                                          "C:\providercommon\conhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2828
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
                                                                                            26⤵
                                                                                              PID:2544
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:2060
                                                                                                • C:\providercommon\conhost.exe
                                                                                                  "C:\providercommon\conhost.exe"
                                                                                                  27⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2780
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1232
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2096
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2436
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2228
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2452
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:808
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2864
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2080
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1844
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:348
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3016
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2372
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1900
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1660
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1744
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2512
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2244
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2132
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2168
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:316
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1828
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1120
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2952
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1332
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:744
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1752
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1684
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1564

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4a1d141572a3bd84762844d47ab8a28f

                                              SHA1

                                              5112dfca40df45be76eae9be99286ab95276a9d2

                                              SHA256

                                              b6c399fc7a7805ffb91f8e4be8ef0c02c33ea5fc3ea0af7252836fa166252d4d

                                              SHA512

                                              4dadea919151fb648e6da77a100e846606bc1bc87013df7eb30d962688b2b2d3a4c859041e5d7e4039f28dd88d362b990aa808467bfe7db9d9a22b1ea40fc7d0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bfba7bbec6c2ab9bfd8318de0df44ed6

                                              SHA1

                                              d3ff18661b7a07dcd4490975e84f4ede67cd9e35

                                              SHA256

                                              77de9b32e3048d693193ef479bf7a91cdc7de1e79e9a5c1aa722071e432e9794

                                              SHA512

                                              880eb2d68d83ee52345a632c6d63b6f1eaa8556844607164bc114d132c01de0eed6c5939326bdbfa3a5fa4d4263486130ec8451f768d7d721213444709a19971

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              0788598ddf25713ffd91f7918c3df24d

                                              SHA1

                                              6be4d3ce9dad0a774a1753f3486d41cb3337ea28

                                              SHA256

                                              1e999c73a0c3986920c4b627f5963c3c6fc0bac310002830397ddccb67d129a3

                                              SHA512

                                              11e9a1cc72ff56b1018d2d0ef0d897e721e8ba1380048aa20e989de63b6fe72932927c82932895d44affa9cc7ecf5e5d2aa1439d55768c5df5ae0200ad793761

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              848d42ff30e33f997f9b629fc9cea840

                                              SHA1

                                              76455a1c830ab8b6aa2c4045461719692a56c81c

                                              SHA256

                                              9554a0ae1c3fe4e4d2067edbd9dedd0248cef5e178d22bddffd4a2fe7b983796

                                              SHA512

                                              dd7fc2eb9f78d4d388b5ca62e9a9724d76419daccd3353afbcc283e702eead5422475911053a2c9751fbd65d717b5caba8cc3d604dcc2a77bbcf2a74cd452d74

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              eb7b63841ab5a1377ee0c21b857bd202

                                              SHA1

                                              1633b7ae220c9842b80996b8f9e43b3bf9cd8c95

                                              SHA256

                                              1d283cc2b6b4176f2175ce5dad4d2f937c4dbeb5d8937b422721413e681d6590

                                              SHA512

                                              09fa47c3567d6e059739801509cb1d9bf0df08deb7071b8fa70fb4315064475034b018bf205ac06cb3bbefc4d0f861456b7e1430346863d7e7295e5b21a69c81

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              a5c958f7faed745130211e96b9940249

                                              SHA1

                                              609e91573caafbb006a722847514c29e5fe02047

                                              SHA256

                                              9f6d161b8984b26688307fd2b43eb5fedaf497f5d097ed2ed7f156e453d5d39c

                                              SHA512

                                              32486ed446acd6864033a8406fe5d4beb4c85184a15b24574765ae4bc92e5955686462564cd70273bab54dd2747626a7e99f837a0e25ae8c036faad4a33103aa

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ff3c6c585dd223ef19f30472d8721566

                                              SHA1

                                              ef10d8a686225a74dfadb9effc3dad1ab931e36a

                                              SHA256

                                              721d79aea6107e8647214aa268bfc1b0310151f96c1752a9e83f14712379e58f

                                              SHA512

                                              3e209cf8873651324d848ff6d5b145c6874fc4fa67d2dc92b2c0a432f0d1721caaa8fa85b60218c481800507570043d5d1234405f421048f65a7f0320323861c

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d545594271cff4525dad843e5c0d5458

                                              SHA1

                                              4bd7491c5f8e1aaa602be99283fa997bd533c9ed

                                              SHA256

                                              49962c6067ff1ba29cf8348d95577a9907ecfacd89b0ae551ce3099d48966419

                                              SHA512

                                              add7985ef6b3fa2e569ffb5bf437eb4e0ae2088e45436437b4061ce22d6c31c89b3fbe41e688a58eea9f01778a4b06cf52649037cf0f14bc784e1b19db6a86df

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7853a3711c7bf728ba39b273f9d43e56

                                              SHA1

                                              23035134d7df40eb31c54be66ebf70ad0a9ed12f

                                              SHA256

                                              2da25de6864778df536bf12da1bb24403b0b0081b4819f23ea8634b808c78c4b

                                              SHA512

                                              1362467869d41cf435551e73a6e976a6307413bc0c5975d70e878eedadf9e1f772a95a7680e91c84bc0d07ef08e379973d2aa223110f339281e456cdd71d0b24

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              816d90c0986cea8629cde0d3e9e6e2c1

                                              SHA1

                                              3e361d1180568091b7fa64ed7b0b0261f70571da

                                              SHA256

                                              77220c52aaba45879322a522f6865ff11cb81fbbba4d7db82b1ab02f178bcb63

                                              SHA512

                                              52e0c0d080daa1b542f6ae524c43dd5516598ae5790a1aef51c4c98fc5c63618292549e99c00f41a9fb30bc0ae754cc92cb408afd623b200ce4b38643f9504ac

                                            • C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

                                              Filesize

                                              194B

                                              MD5

                                              bbfba12a73dadae5339dead6d86d91ab

                                              SHA1

                                              bc9a27b58cd12e5f7252552a1d0ebc130e5287bc

                                              SHA256

                                              4b665b3b9c5da7551c460ef541e8ba51f4a3a63b6e6f9792369a6dfc9d33b73d

                                              SHA512

                                              859cede8d334720929f9275fcbea3b32500cf46e2e84cd03f54d1cb27cede602c0f959353e10bfe3f1ffc8452e7434473f16af07fe70442b383e53d8b6ef9d7d

                                            • C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

                                              Filesize

                                              194B

                                              MD5

                                              0cdfadfe87ad6bbeb5f9240c897bbb12

                                              SHA1

                                              7a8553341e9a851f0b9381e08c8058b2199d25c5

                                              SHA256

                                              3aef607fbae25a66ea5dd89d573a0d748cc9777436f124b1e1ecbd84c3ce3665

                                              SHA512

                                              66b98c2df8d576917e3380841195205b9c1fc2331db231523907485a5ce76c2f05a27e1a9a3b7ffda00c5ddfc583ede226006aedc298f3c2fba0e8439c2f0a05

                                            • C:\Users\Admin\AppData\Local\Temp\Cab84DB.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

                                              Filesize

                                              194B

                                              MD5

                                              3ef6315c31d60f53f23cb0216b9cf11c

                                              SHA1

                                              0e964d65fcd5928d4b17582384e87b9d201e2c3f

                                              SHA256

                                              88d56335e9a3afdc8e84ff04eac5d109bacfc04ba5309fb30281aaeddaffe16e

                                              SHA512

                                              41b887fcd8065e09e4367c7d60cd3ba6d0a0135b99c89f85bdee0268ae7413f766883e7d337f8abdc81f90c58bf261bc5151288fd8488cc51809018e659da788

                                            • C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

                                              Filesize

                                              194B

                                              MD5

                                              2881b7500e3f9e3962ce35801160a372

                                              SHA1

                                              6d9655e3f89ce0286cd3efffc85b4e006383f50a

                                              SHA256

                                              677216f133866dd8e1412a261aa1572cc731db37861714395ae4d703a319108d

                                              SHA512

                                              c37b50790308515bb8bcf4bee0c2f44af57014bdabff2c8462df96e7c63b9de06f374dd24b716b5f9bf47305e94b49b9d7d3fb68af0bbaf23c52eb2ca69897e1

                                            • C:\Users\Admin\AppData\Local\Temp\Tar84EE.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

                                              Filesize

                                              194B

                                              MD5

                                              39486da0dee234656d97a5e01300bf51

                                              SHA1

                                              0af7d553c10a642625a01a0f9ea165a63c7ba3d9

                                              SHA256

                                              40cdd8d0e5447d26c5b82fc6d0e3f1b40fe518452d94cdfd4c68724a3ad43ab3

                                              SHA512

                                              85a4661fb8f54aa731271fed3cd4fc5401f1026bc1d20a111990eb1a9bc217c6f28cbbff1458f1429a27a551779d154c7d806f6e59b52bd70a132d4895eb51ae

                                            • C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

                                              Filesize

                                              194B

                                              MD5

                                              cfcfddda7eb91bfb4b1b3e924bfa7aa7

                                              SHA1

                                              17e189662ae612cc82f1780d3df963711bed6820

                                              SHA256

                                              46c6c354ff1131b6d7535eb8c62fbbb281edd7f6af614ce2f9d65e24f3bcd5a8

                                              SHA512

                                              2d56ff0590483f07d2226f2abd1e62339faf5046d74cef4828e97aa518cee8bbc0c8e8c89e25045aefc8055e287da256ebb4d7c1d1fde2250e888e6936af43a8

                                            • C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

                                              Filesize

                                              194B

                                              MD5

                                              32ef73e8afa8e2c2444c173bc0b7aeb1

                                              SHA1

                                              0914f119e8e9f771edc2f3cdfcf47dbc036804c5

                                              SHA256

                                              44abf1e79fbea8499a4265699203e7ce413e12d8d88a4de545aa994fdc5a2288

                                              SHA512

                                              a862244f8af405de535889c6dd646ea3dc46f42d7a5360a59c04be3d64cdd8dd9117c4ca3602b7580f125c8ef0f505ac5d49cbeb0915478911e9dbe565b51ca0

                                            • C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

                                              Filesize

                                              194B

                                              MD5

                                              498f26750d979c963bf2f39e719d9422

                                              SHA1

                                              530cb9386ba48f51e1c57298629d1de23560acda

                                              SHA256

                                              b3a581f52af2ee7b8f5c6d1764708b3f194761413d58e4a33b8de320d2d45b93

                                              SHA512

                                              b129b94222ef66dad3218e5794ea23ecc641905c488b30983945fafb95622c466fcd3838ba9b7d5b722354609b4dc68085374658f80611a0a249320960ba16dc

                                            • C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

                                              Filesize

                                              194B

                                              MD5

                                              d0aa825741147b3499224f8ebcd3e7d2

                                              SHA1

                                              7589a8995411f56c34959dc0203707efab97c3a3

                                              SHA256

                                              de9af2cd25741f19e4508c7450b5448fa5aaf5583c38ac909ce61ca4a1d76314

                                              SHA512

                                              4021db0cc1cba540e573e6396dd514438c0f417efd1657516ccf3562c1c9362dc4007d29b2075c40ae68fe7c3f7a079a77291b79fff89b17fe4d759a0eb9f8d4

                                            • C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

                                              Filesize

                                              194B

                                              MD5

                                              2d67fe18d8bb285294788b0cf172812b

                                              SHA1

                                              bf6000373cacf9f22fb4bd97a8078c08cd108b7b

                                              SHA256

                                              2cf6db670d04d4567a124ff8014364707dd52739ad46a8bc3e3272c4303c6623

                                              SHA512

                                              84b710d33d215ef084aa0cdf834deb969ca389939c71e84858652e0a951700c95e5467ccd5d7ce97f47929fdd9b269d5ec05b2345f4de40746cae27e8b3514ee

                                            • C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

                                              Filesize

                                              194B

                                              MD5

                                              cc80d5e9556692467637689d8cf663d9

                                              SHA1

                                              33a711e4e7f717d27ba44c02b51697089c4fc0f3

                                              SHA256

                                              0437d2be194bb663b0362322a75a06bfda5d56d0b4cfe15a24a0552fd913a0c0

                                              SHA512

                                              bf4c24f3affd3958bcfa0def2bc3812e9543a642c641ea822c815ce35cb22a1a664d9d95b51a24b2b40363fd193683202b0c90195f25822a9027e1c72812c018

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              1ad810ad4f589e13fd7fd6811d14bae5

                                              SHA1

                                              4014c507fcbae21456fa941175939f3f6bedb863

                                              SHA256

                                              9b96373c7b324a5f1d6d742ccbea4d6edbd4bef6571ecc2bd87ac6ec1427a7bf

                                              SHA512

                                              35b7fa560679a17e1c38223809fdf0cb2658692a38d5762c3a6d21700efa4f10654e20ca9502fcfc1d82802fcda4016ddfdc3fd418c0a4c0bfc2516cfac91d4b

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/2264-365-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2476-77-0x00000000028A0000-0x00000000028A8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2476-66-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2692-246-0x0000000001140000-0x0000000001250000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2704-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2704-16-0x0000000000160000-0x000000000016C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2704-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2704-13-0x0000000000B60000-0x0000000000C70000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2704-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2828-720-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2836-73-0x0000000001050000-0x0000000001160000-memory.dmp

                                              Filesize

                                              1.1MB