Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:53

General

  • Target

    JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe

  • Size

    1.3MB

  • MD5

    5b1573fb9f71a41b9399e10eebc73cf1

  • SHA1

    ae3caf1f1a3173807f818bfdeedf131986793d67

  • SHA256

    ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218

  • SHA512

    6943124bf3ee815c861e2bcdc190f2e8e8afe26dcd29723e65a1d17e5749a66f9f1ef3e0b1384ffcde5f7ff91aafbca21d1fa9eca2b86690050b9361309e519e

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1436
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1260
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\noFB8H0MwD.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2200
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1432
              • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2768
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
                  7⤵
                    PID:2860
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:3068
                      • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                        "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1844
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                          9⤵
                            PID:1712
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:912
                              • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2716
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                  11⤵
                                    PID:2920
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2764
                                      • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                        "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1588
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
                                          13⤵
                                            PID:2164
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1704
                                              • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2420
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
                                                  15⤵
                                                    PID:2916
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2976
                                                      • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                        "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3000
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
                                                          17⤵
                                                            PID:1556
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2872
                                                              • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                                "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2316
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
                                                                  19⤵
                                                                    PID:1476
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2452
                                                                      • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                                        "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2356
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
                                                                          21⤵
                                                                            PID:1976
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:316
                                                                              • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                                                "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2136
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
                                                                                  23⤵
                                                                                    PID:1760
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2740
                                                                                      • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                                                        "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2436
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
                                                                                          25⤵
                                                                                            PID:680
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:660
                                                                                              • C:\Users\Public\Pictures\Sample Pictures\explorer.exe
                                                                                                "C:\Users\Public\Pictures\Sample Pictures\explorer.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1628
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2864
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2532
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2552
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1448
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\es-ES\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1668
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1944
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1020
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2496
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2820
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Videos\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2084
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2936
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1140
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1088
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2828
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1752
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1576
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:824
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2356
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1284
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:788
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1464
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1844
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2056

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8e536fce05ac99dd8d503c87502ceecf

                                              SHA1

                                              68a5c91c7cf920f794bf632cd8b2830697caa253

                                              SHA256

                                              5308b264ff9754bc8ac5a7b210c75e0a24b426d7aa2820fa0772b39efc9081f1

                                              SHA512

                                              93f1a690fa67b8d90f79d305cd674c9fdd69a702c90db9007de1708f3d0fb1e5d5e16216bf7b5f44adc7c69fe6f6109360e44e0869814da36139ba504554aa20

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              894c280a748998b60073d1e683e2defa

                                              SHA1

                                              d694fb8294c85686669ce083019a1a51f6919b2e

                                              SHA256

                                              64d11188a1879716749cbf3b0365c877f6f009d12161ee452585807da7b65325

                                              SHA512

                                              b56c579a7bf3ae05ca6a651cefc2cacdeb003a3bef20ddf311ae38044d65b1b1487448f364262d5e125c1155edd2ee1ccb6b0b2e3b88f2ac2c7bcf3a2b18f6ca

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              9269ab2644a252297c428a09dd6da188

                                              SHA1

                                              fc106449154458cb28011ad65705ba08d74caae1

                                              SHA256

                                              30d6c09d83ec7b494ece3dbd0e2e4b036d8c0f8e79ceb71e46f7086e33d272e3

                                              SHA512

                                              ba6f787ef57085146fea58eb54081af871b7f6e829eed304f4e61b4a33750aeb85906cda0fb92cf26c880f2c79dc8a4a8e609d2f65a58e0b7b645fda01664245

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8d9ae956391b212017678448cf27367a

                                              SHA1

                                              ffc6fccd461b13b16f5ccec5f6b7092e6c1603a2

                                              SHA256

                                              123bc6d1cb42cc36b01097330095bf38c6a9dff0437bbb1e00136d1fb757bf27

                                              SHA512

                                              4c546af85da54434a3757d9b6cedf1d7353c04ad99c2f901cefd5f2f146e0a497ea2f22a72f5fcb4c6a136442057874455b899fdaf43cc93c86e3dfb3df95819

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d746344a2aa1a34c8e565906751ddaa8

                                              SHA1

                                              a67f3d8571f23ab0230549a50e185f13c46fe789

                                              SHA256

                                              6ed775cc028622bc2bb1e3ddce68136f9a4a52bea4df82605f6d8b2080394915

                                              SHA512

                                              0ece1a87389c645cb1c6f61555d1868f037f4282bbef7b67a6f7dc126d86df4bb0858175bf326e68eeaff6bfbc379d0dcea3540c9f0ffc65c4823ae07bf6de35

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7aa5a667afe732ba61d4e989a5da0572

                                              SHA1

                                              0fd62776bd23d741efb7b002e0d967cd7d88ef9e

                                              SHA256

                                              788b918ddd8d90f2dde2b91b3700dc622d8ea98fafea13231ccaa2b00d24e9ac

                                              SHA512

                                              4d56186c1898d7d054eed1d9600eac01f67f9cb8cc8414f537c87ef4ccf60fe853c67ec279fb50293281e6188cf8fce3845d752a54ddcb1ec7cca173a9ebe5d0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b5375a6134000b7166a7ef44c58a45d7

                                              SHA1

                                              65bc03cf5dce4b2e102723548e63004097c52b91

                                              SHA256

                                              a4c842881fc9c49a8b7a5dbba31080fe6a501df1b15a9b626fa5ae20fa3f1f1f

                                              SHA512

                                              9c9883a0a349ff69fa17326ceeccb57c065cecc4095c12fc64e7b61e16ae122dac388d5f3f7337de86d005a01f83391ca238ddb5b44d601ccf475aab23e1faf1

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3b21f9d4c06dc2745e9ea99dc200963b

                                              SHA1

                                              cdd7a1820cf1b9a34d3147a15e5cc65123834883

                                              SHA256

                                              bd000d6558e45d0ce7e22dfbf6aa8f26cfa252c38f1b6a8ca3a2c56313ae9030

                                              SHA512

                                              8f533cd9528e8373359cda294621755646ef9a8c65238bdf7feb876a641cd7e89d2d49bae63f36d8a4358770ad9833f260bf03868c0902df2d13a366c1d9bcc8

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d2ffa2e77845cabc34ac6147ea954c6d

                                              SHA1

                                              581e61ca1ded3975f9d604d5df7ce93c5922c1de

                                              SHA256

                                              3e349737566f816c4947254200f78e5dd6999c4f0e25f3b9d7a183a2bc6cdfba

                                              SHA512

                                              7a3856fb36b4b6035c78a859386e72490c92bbc524e98116d03007fada60c4d0ddbc2e51cdcdd1ecbf16f3646c895e12ce393db8be57ee851f4aaa4f3688129c

                                            • C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

                                              Filesize

                                              218B

                                              MD5

                                              10d4c0b840b691f6dd75225db63d46bc

                                              SHA1

                                              b53aef2746a23c9e2042f7b55487a789d8fe5b23

                                              SHA256

                                              1a9a55e4f6206f249bdf3b056200f14ea068d8ff958bf7876ae6beb319708e37

                                              SHA512

                                              d20462f04af04fdc856de37c2837da0a8b9e7b80f6d3e45a65150b5ad4002dbc124f90a3b92944da4c371735701faf493565c23032e4f9a38923afb98e4c4b35

                                            • C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

                                              Filesize

                                              218B

                                              MD5

                                              deb4267de8b2ec5038f5f78f61faee8b

                                              SHA1

                                              a15a4d67672982a55e53bd54afbb5c5bd442684e

                                              SHA256

                                              9ab9fa47b1f793ac3e46471397c6ce3195702e629d196495054d3eaea704b06b

                                              SHA512

                                              68efb3a44842babec86c40e8477e42769f121f78530066d263bc76e50bc8d558344eecb6a03ef9d622d4b8309d054fbf0a2c6438db8c27cd9d15a9fa4a3989ad

                                            • C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

                                              Filesize

                                              218B

                                              MD5

                                              5529fcf5b1eacb9715fed8a23db5c91f

                                              SHA1

                                              b21b8b3fe683b34c37661ab9af4dd9c0bbe1d3ca

                                              SHA256

                                              c82846e903afef4757a5244cca8fc149a8b0bad398dbcfdf33dd76021e2fbabb

                                              SHA512

                                              515a072dc2753a9e1b098ac9cafe509ad562f90b1eb75309ff66353663671c0d135b9b7d57834792ad107c38ab90946a4881cca3c676a52c6dc040ba461a2fcc

                                            • C:\Users\Admin\AppData\Local\Temp\Cab23E7.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

                                              Filesize

                                              218B

                                              MD5

                                              31966be8edcfd7d162ade2177b34d6de

                                              SHA1

                                              9e17011edfee2c3c199f1685887c39ffe13257bc

                                              SHA256

                                              ea72f4f732b7b083ac160cf2632ed51310173668585d79ab8eedc21004d7b6ed

                                              SHA512

                                              1928eda748919f939a06b81865b680df19fe5eea933bbffd7630e94cf68995d19d1e83b671348a4012298405ff6b4c5291ce84aa9c69e4335f4b414728d2faa5

                                            • C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

                                              Filesize

                                              218B

                                              MD5

                                              9a33112422770657a7059687233c1e81

                                              SHA1

                                              7df34b3a08fff9edf4ab498edfffd206c1e206aa

                                              SHA256

                                              24bc31a02ac261d0261bbd5d141a4a627f647f8bce116be1875084302b31493e

                                              SHA512

                                              cec6055266f6edf4be852c6893ef946a5e5f6a62d58e259541cb09b80bf6b7942951668f65f478898c1e59fa3bb51c31472085293d25f520e9984e801a9c787f

                                            • C:\Users\Admin\AppData\Local\Temp\Tar23FA.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                              Filesize

                                              218B

                                              MD5

                                              7f3482f4b0acd929a159a43ac5b4f972

                                              SHA1

                                              cd771a21afa2a804e028e83772f791f748037654

                                              SHA256

                                              9be43e65ba1e44d091f67e887cfb859246756d032b33a96eeb409a26171cfb89

                                              SHA512

                                              8a08f4cc1b0905e246f282a032ca4009afb4d045b15c8851d0de8aa09165d37b4e0a78913fc1146bd7d8bfcdf485113c6ba22a60f92e927f17c0247c82af6b9e

                                            • C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

                                              Filesize

                                              218B

                                              MD5

                                              3edb6328f4066c0e569a56f546ad6cd1

                                              SHA1

                                              186778ce9a137f51e8efe7b715b06cb734cee7e7

                                              SHA256

                                              be2205006178d19360557dd4b3d7ff6e736cbbeb89bc391fe51a98a01d039a7b

                                              SHA512

                                              5aebd6b4c26985571c7e954349b4b082cc832364cd4bb0777b20a0b14a6c1f57eb8dbfba8fbaab3bdeaa2f26f839a3cd70de08f82dd5ec7c25d169b51b99ec1b

                                            • C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

                                              Filesize

                                              218B

                                              MD5

                                              2c9309a24c1a64f2372f56dce40fa6b4

                                              SHA1

                                              4c9af22fbeb2033b313cd498d5668ae9d9c925dd

                                              SHA256

                                              c4b3f5bad3df1a173e70a7ac30cc9bc3983cfdb7a6faad63e012287c1a245cf6

                                              SHA512

                                              73b13574b548e7dd8857a29c39318cf88738160bf071bd50799e397a3f2fa303e683d299cefc66cf2be8a007c8aec560c8b4b5ac53ec495c197ee55d2afb1f81

                                            • C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

                                              Filesize

                                              218B

                                              MD5

                                              5366570eaecf9c1d79cf971b69874c48

                                              SHA1

                                              9be264ee28d80579ad1ae46e3e74de6463bf9eaa

                                              SHA256

                                              9849b66ecdeae3461d297f04ef4c392e7e2da6b7e84d1eb07e0cc773361659d9

                                              SHA512

                                              b0e2a50ae19754144b21f87694ad3246b40c8035f4919fb9ad2d57011bd7b719a38f238baea2334c2401ed25e8d77acb522ee55c4c39504612ed7a0b8157b475

                                            • C:\Users\Admin\AppData\Local\Temp\noFB8H0MwD.bat

                                              Filesize

                                              218B

                                              MD5

                                              a6cdaeb65a82de850ff22573759c445c

                                              SHA1

                                              2dda6f648ced3f78733e85cf47822ffb264e7192

                                              SHA256

                                              732aefefac9a2cae260da9357d175ab2c79442145d6771e618e2e76f7dadc707

                                              SHA512

                                              880e87f94cd9be80fb32f932125d80a882fcc31ed9d0507c4fa703286ce77d498f72741dfa3c5295f6543a6deda4798d2173f52f509a1dabd2f793fcaf72352a

                                            • C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

                                              Filesize

                                              218B

                                              MD5

                                              36eae726f6e06f2294d1991da18de634

                                              SHA1

                                              c48dca8ebc4a522a2f40fcb2a9c8a58f9612ef2e

                                              SHA256

                                              e1059bac8d85cfbca0934129ba30637d0fdd60cbca42bf21d6ea78cb7061d3a2

                                              SHA512

                                              871e0750a3ccad9a9e12fbc06fefd878dccf8213cc10a348a7f309d036f89d75122daa17e22c3d377fe8df73d7b7e23166ec0d594763970ba46a4362fc033e88

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              68bfbc5833cd764d5c7e6040024f1f24

                                              SHA1

                                              a84a77eae2e26008a4fdc50abb7fde7342f1b58d

                                              SHA256

                                              e860957043bb1d1d7768758fdf41fdf070086e389256b8add7ec6b3ff0693ac6

                                              SHA512

                                              c12a87fbf36c2e16cd3891e0c00c790bd35fcb3ef12b42125379cd309c6626bd9a2665bc609e6898f68e049c459398441cb413fd6026c65379048dc85a8471c7

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/988-59-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1588-308-0x00000000011E0000-0x00000000012F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1628-727-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1844-188-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2092-15-0x0000000000580000-0x000000000058C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2092-16-0x0000000000570000-0x000000000057C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2092-17-0x0000000000590000-0x000000000059C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2092-13-0x0000000000080000-0x0000000000190000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2092-14-0x0000000000560000-0x0000000000572000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2136-606-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2136-607-0x00000000005D0000-0x00000000005E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2184-60-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2316-486-0x00000000003E0000-0x00000000004F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2356-546-0x00000000000F0000-0x0000000000200000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2436-667-0x0000000000860000-0x0000000000970000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2716-248-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2768-129-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                              Filesize

                                              1.1MB