Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:50

General

  • Target

    JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe

  • Size

    1.3MB

  • MD5

    e7631eb93c75e8ff8907259a2821ea5e

  • SHA1

    30439da50753ccf287e386f6e2c80c28fe82c5bd

  • SHA256

    033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf

  • SHA512

    4d2759aa5ed9fcf788b850b6afea30eff47616b6382cfe1ad4d133d34af3af8b53077f3223d118c20ebee132f23654721b62c458c24070eac70f187114cf01e4

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nidhYZx2f1.bat"
            5⤵
              PID:2020
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2660
                • C:\Windows\Branding\ShellBrd\audiodg.exe
                  "C:\Windows\Branding\ShellBrd\audiodg.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:236
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
                    7⤵
                      PID:2956
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:1964
                        • C:\Windows\Branding\ShellBrd\audiodg.exe
                          "C:\Windows\Branding\ShellBrd\audiodg.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2640
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
                            9⤵
                              PID:2008
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2436
                                • C:\Windows\Branding\ShellBrd\audiodg.exe
                                  "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:880
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
                                    11⤵
                                      PID:780
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2424
                                        • C:\Windows\Branding\ShellBrd\audiodg.exe
                                          "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2020
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
                                            13⤵
                                              PID:1580
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:2252
                                                • C:\Windows\Branding\ShellBrd\audiodg.exe
                                                  "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2804
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
                                                    15⤵
                                                      PID:2964
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2600
                                                        • C:\Windows\Branding\ShellBrd\audiodg.exe
                                                          "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2688
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
                                                            17⤵
                                                              PID:2420
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2360
                                                                • C:\Windows\Branding\ShellBrd\audiodg.exe
                                                                  "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1936
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
                                                                    19⤵
                                                                      PID:1656
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:772
                                                                        • C:\Windows\Branding\ShellBrd\audiodg.exe
                                                                          "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2684
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
                                                                            21⤵
                                                                              PID:2680
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:1928
                                                                                • C:\Windows\Branding\ShellBrd\audiodg.exe
                                                                                  "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:292
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
                                                                                    23⤵
                                                                                      PID:1088
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:3028
                                                                                        • C:\Windows\Branding\ShellBrd\audiodg.exe
                                                                                          "C:\Windows\Branding\ShellBrd\audiodg.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2332
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2020
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1484
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2472
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2856
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2488
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1764
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2172
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1912
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Videos\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Videos\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1916
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:340
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:856
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2424
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1144
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2588
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2412
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2168
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2192
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2280
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2568
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1700
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2936

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7cf0266379a9098de07c69d3ab2ad82b

                                            SHA1

                                            0bf48149adf304eeb4f94b998f9a73a415ec1424

                                            SHA256

                                            eecceebe31774348f90bb810bce3479ee3509a0f3199a58a525b9cfae6e4c84a

                                            SHA512

                                            4d4ca709af432e3ecebab587bbad9d641b70b413c6a62248353fe3c4c28ec423beaf67bdf39db7880506afb9c6dcba6ab3d9a653bca249f1654f4f6537206604

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            9b0267b5a0b12fc923e87ec729fe4336

                                            SHA1

                                            b5996a75d126ce4ab7ec0346bbdae57ac71b293d

                                            SHA256

                                            d5bdea34cab0293cae812f73124221eab4823f89eccb07c1a245557a9f6d207e

                                            SHA512

                                            539b1b7bdb156f7882a72fd05633990713e87cca9ad9bdfc1168f41791c07b90fa6485036f5dd14b09904d389a7535972acae8679e9744e26115261b570b4e7c

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            0317211208f66de8e433f616a93ec715

                                            SHA1

                                            aa31c1a673fdf18a61f80271c70ac7a305098420

                                            SHA256

                                            f4c4d8ee42f189cd88c01444fffa8843f8f55cf3aee99352f0228ea06c83ead1

                                            SHA512

                                            285069f9330054f4e8c3cbb746ab94f1f57f676f5a55fcba77fc782559188585b8941029c4a50fc187784dcc8e85ce439daa61bbc4d414c4205503ddb946bed5

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            03480acfcc1d46b2e3b1aa7c1fa029e5

                                            SHA1

                                            9db35b78ee84e050acd399cc62bbcec1bc75984c

                                            SHA256

                                            76a34cf74b44be991cc54f2fbd0582a3da97463c23eafcf6445b4709158f0a8f

                                            SHA512

                                            2a44e960b5840398f7be6cf632ac1ce45262b04852ff16cd4e98ec6db289bb0a25831ded03acb0083e32b98152ab0ec04cdaf17074996b6a7019732572ec27f4

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5973ca6487780369f4e3e216c91c352c

                                            SHA1

                                            4dc4080cabaf168c6fea87d476dc8554fbf46eea

                                            SHA256

                                            ac788f02231c94458c0d4f10926c7eaa120235fdb7d78d05a03fda3838453d4a

                                            SHA512

                                            01f807cb93a257cd608fcacdcc91cf6a6b5ad0052bd44703669181d4439a790611e255e63fbbf34da7e1bcba33ab466f639822b8d902990d260376447e7acf15

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            71cd6e3faaad08425de484da2d9b7952

                                            SHA1

                                            74f3c5d8ae698218631d04c490ef166674af8b38

                                            SHA256

                                            de1fe058b8026e3c35d86a18145ccb789896ebacde82df506b5fef5b410b6686

                                            SHA512

                                            fef075e536681c8ab2e848cfd69d22b80d261d6949dd91fe38ecf6ed26fbbea006c24479827056d53e9ddf993670543204f8a955eda811688da293e54bfc40b9

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            9bd2958765b6f9b993ddb72e724666ce

                                            SHA1

                                            6c8ebb87b13fed501316fb133108cab68e555945

                                            SHA256

                                            68ccd9252306bbfe03d9fab51a40c36c060bd437a3a524b2c6b5432b018ef74a

                                            SHA512

                                            43798d4b741f94aeef9ad0819a1d9793ac4c57bf101a01c8964b49302e3d1b767c39bd510a6a849f8e5d2132ce37c90ab215a257120b6137fc64fabab461e869

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            fc31ed2cfe190adf7aafd3ce56bf3df5

                                            SHA1

                                            3eec07c1d16370894eb15790c5f0f7c33259f4a5

                                            SHA256

                                            a8f5766c29695ec038dbea4e78752503ff4f02991f8aa8026eb1e1a0b86e73f9

                                            SHA512

                                            3bac5c042d2169ee6484ab1859034296c59814ffb674f91c521837850ce89eb5e41e00fc55d9e129c07f5579e570a69f7d8c55484a7e2a4c2e0ba6d9a309965f

                                          • C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

                                            Filesize

                                            205B

                                            MD5

                                            f8adab149e7bcf2683b6dafc6686a2c0

                                            SHA1

                                            71cb571132d72903838be4df554262430fb54bdf

                                            SHA256

                                            ab7a7b16d82421c30efc5e70698a2e35bd9c708ef610d7248a31a6f9cbaf52b4

                                            SHA512

                                            4131aaeb00eaa37dbbe7aff03a4204df539fe546224fee0158e5d4786f3dd8c5f34bad9034f376a0693a15bfafe6738663abac4e81023335f92124acf688745a

                                          • C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

                                            Filesize

                                            205B

                                            MD5

                                            dda9b1ac6658d56232e32b9430ec5324

                                            SHA1

                                            bbc83b79be52c96bbf64a46a85510e4f8a34238f

                                            SHA256

                                            4b56e05be1604ad573a2654303e707ad4640b6c9d56a3cca80f252f07e45f927

                                            SHA512

                                            3347f7748d53529c6ac2e40991328b6db29a617f6822d6d512b94e058c49e5d35f08d7127e5606139c3724e852b5077840b6d2497e71f724a290ed07e3919fdd

                                          • C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

                                            Filesize

                                            205B

                                            MD5

                                            914980402614fbcb2cbcac2ee7b16fdb

                                            SHA1

                                            41967ed5dfbfc89624fa1af3183449c96f442d24

                                            SHA256

                                            1e9ab0547496465f1af266260c0f0ebe44caae0c5b0991792a5855fe67ec53bf

                                            SHA512

                                            e6ca9ecc39b717011a0f739d6fe8e73999c25a3700b03cbeeac8506adebceef5e018bfe747dd537c0896b3e643fcbc14f14c5c3599b393f82e3e26213d8315df

                                          • C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

                                            Filesize

                                            205B

                                            MD5

                                            074f1689edf942569ab7cbb141da7086

                                            SHA1

                                            d08c5da1b41556964161a7a0d729c27e218c6b1f

                                            SHA256

                                            c0120365ecfff96d3ce5f804ccabe95d9543674349248ecdae3f80aca8599367

                                            SHA512

                                            901fa9211caa7a0380b3bd85b2aa59e4dc4ffc64cca5c09856656787303defc8fa83d0c4fe992fb400d1849b7bde777d86aeec4d503b9233f0f7564c63a547ab

                                          • C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

                                            Filesize

                                            205B

                                            MD5

                                            334c6f16c5a94e7337ea72e36ef84155

                                            SHA1

                                            0f84089a1387ab6bd487647225b6459a82aa6193

                                            SHA256

                                            67e2ce0403a0ee5fd9dd0c3a646abc38f97e4a01d365b387acc2535d394405f8

                                            SHA512

                                            8cf3f7dcd0da89eed7ae23cbb8cdeecbf486d47a388e476332a7aa7eb54da5c35633334efd1a93d8c4fffbc1b36741c7f6862c145bed5a589b8a989876f39bc0

                                          • C:\Users\Admin\AppData\Local\Temp\Cab2020.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

                                            Filesize

                                            205B

                                            MD5

                                            3eb2b5893799b7c28a75c801ed820dab

                                            SHA1

                                            bac0823f0085e6559b0c4465ab00158bffe85a0e

                                            SHA256

                                            1320414c6a1d11b65c1b7886a65d2e558186b0eed0255c672da7b24acfa570e4

                                            SHA512

                                            6934b123e48476179e0a4be814c98095eec5a10bfcee2440a29a438ce3316c71f99d0c06ad07d5e292c729deee4fcc679e9b81dac718172eb400968d50e9387b

                                          • C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

                                            Filesize

                                            205B

                                            MD5

                                            32f801eb2d191ca0aebdb632deb34b2a

                                            SHA1

                                            feeba455979c0f45fa67ce5f751c165a4c82003b

                                            SHA256

                                            3dd846400e380024f79960733d1d5e64b853a13ba5ebe33ba572f2f568168bfd

                                            SHA512

                                            259846dbb02123b0f8f229aad2ddab9162d72e87f3d4a6cb836c346fcaf8399d1960ffb40e1c8816a51ad9ccd477f2686b3e96a97d4c6b0cb55988794c42ee78

                                          • C:\Users\Admin\AppData\Local\Temp\Tar2052.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\nidhYZx2f1.bat

                                            Filesize

                                            205B

                                            MD5

                                            d67780a4d021266aa3d6f3130e8e9fc0

                                            SHA1

                                            e9e6a14dd3c7ad0e6a3fc57e2c5cad448a70f385

                                            SHA256

                                            cc0aec388fbc3d19508a59acc8b9664ce561f16705bd0fe6dc6ca8e1aea4012a

                                            SHA512

                                            bda26f6eea4a70064b0491891d5b3621d60958f675e0b06115cd8b4fd531cfb520d0ef82b3ae52c1ac09c53e1cb36c30eddfbffdae8afa6a9d2dadc2d1ddb923

                                          • C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

                                            Filesize

                                            205B

                                            MD5

                                            53e2e41ef02df497b5fdf3932270d3ae

                                            SHA1

                                            9a4a8938d2efc04828b9d746effdaabe2fe0b1e1

                                            SHA256

                                            e66aade1dd64171af205d36aabf04a80ebfd480a6975787fde3ec5900f8c6a42

                                            SHA512

                                            f76e9697e0a781a2b8bb3758657c80b57f4f68726f0125c79f390da6abed1a8aa3d113e9614c8916d5f873bb50ecbbce71b454e404c1a651e11ba0a20ee58a91

                                          • C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

                                            Filesize

                                            205B

                                            MD5

                                            2592693aaef533cc4233fb7d5facc83d

                                            SHA1

                                            93768dd7e20ab8c8fdebc0d7b2f7c78bd0b638b9

                                            SHA256

                                            1dec952aaaa824f37bebb972f1862d71542658a9088ee58bdabbb81cdf000eb6

                                            SHA512

                                            57bbaae795a057adf01c9153866917944ef51ed1b1c5729cb266a0f442ee45a22cce93fc6b9518ea8ac12401c18b79003c04b226f9f0c712aae8eaf32c9bb9b3

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            650f1c15728513419fff6f41c76edcca

                                            SHA1

                                            fae0cac51a1dfc585fc956dd5c252b64187c3253

                                            SHA256

                                            fa7122d1f0a38958b9d29b2da7bb7466d5b8af422ff539e4c84969c075c7f370

                                            SHA512

                                            8b1786348ba9796bd30f7201f8d378b24aeed10b242ba93b6e1180cbd1d1c858ddf2e8025dfb2e99607553936899d9097abe0659db61f21e51cef5e2a804b10f

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/236-162-0x0000000000B40000-0x0000000000C50000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/292-638-0x0000000000F00000-0x0000000001010000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1044-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1044-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1044-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1044-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1044-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1936-518-0x0000000000970000-0x0000000000A80000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2324-81-0x0000000002870000-0x0000000002878000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2324-79-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2640-221-0x00000000012E0000-0x00000000013F0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2684-578-0x00000000009E0000-0x0000000000AF0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2688-458-0x0000000000130000-0x0000000000240000-memory.dmp

                                            Filesize

                                            1.1MB