Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:40

General

  • Target

    JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe

  • Size

    1.3MB

  • MD5

    85b4c5a022e22b245a7fb98fa9975522

  • SHA1

    182af5ee0090daa84c683bbd9ebbeb43bbc24f9e

  • SHA256

    c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8

  • SHA512

    325586b1bf7a1f337e7a1379a700763d4fbc6023b278bba0e7477c580cae4e6c16e5e30f43db3d617cd6db1115b89b9eebcefc4e8e2ef25d48f48a888bfcdf02

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRhF7PcXPa.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1716
              • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2044
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2736
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2720
                    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2056
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
                        9⤵
                          PID:2596
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:688
                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1956
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
                                11⤵
                                  PID:2800
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1772
                                    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1008
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
                                        13⤵
                                          PID:2388
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1456
                                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1272
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
                                                15⤵
                                                  PID:1592
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:800
                                                    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                                      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2352
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
                                                        17⤵
                                                          PID:468
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2576
                                                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                                              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1044
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
                                                                19⤵
                                                                  PID:3052
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:300
                                                                    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                                                      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1680
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
                                                                        21⤵
                                                                          PID:2584
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2244
                                                                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                                                              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2156
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
                                                                                23⤵
                                                                                  PID:848
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:980
                                                                                    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                                                                      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:824
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"
                                                                                        25⤵
                                                                                          PID:2876
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2952
                                                                                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
                                                                                              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1624
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
                                                                                                27⤵
                                                                                                  PID:2948
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    28⤵
                                                                                                      PID:2416
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2512
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2776
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2856
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2660
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2780
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2564
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1992
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:284
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1636
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1704
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1544
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:476
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:764
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1880
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:648
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1388
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:592
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1248
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1668
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_64\winlogon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2668
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2908
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2296
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2556
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1284
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:832
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1084
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2976
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1524
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1664
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:608
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1200

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                a20e22bd938fffcf8bc697234027219a

                                                SHA1

                                                be2c1126d907c20715749e013654fcefb151d143

                                                SHA256

                                                a86519432e20c7d41009e14ebce4b288b99cc634dd93b81510e208c02fc897d2

                                                SHA512

                                                37cc3bb190ec9e51726ea02fd18e092896bd9cad5477031fdfef0de0ff4633f3f91fe34463a3e78d1a6cb51bba6b0a745be073164d44c778b57ae0150b4aab2d

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                e8c12aa0ddfc0b979f6b20af415f5a38

                                                SHA1

                                                1bfb42265ac6547520b0b6ea008bd4066e163b77

                                                SHA256

                                                448923b341f0011bbf7596172c246f3a4c9c11b6759875c2e84382dd2b8e376f

                                                SHA512

                                                fb14e6b4487ff296e02561e8972dfd495100b69d6af5c9a8ff8e83ab0c0666e4c874c86a970ad22ff17a16624e27a6f89dbb54e15ea00065b1d0c50d14457a3e

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ec0d572d210930ced2fc0db243ed3a92

                                                SHA1

                                                ce6fd2e5768c00a49d2cc15fa9734298f4e565ab

                                                SHA256

                                                06f6220360f300843efcbcdc9f4f71442533abc621c155e60727c4ea03107d20

                                                SHA512

                                                ba9b28b638ea1c57b816ed36ee41da7703de2f2547f1fa6f462cfdb85d245d41fb863daf16ac3f7346d04d8c750126d63783d999771769dee1d736ed1f6cf1ed

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                3f0fee668ab9a0152244dc9d180d3a80

                                                SHA1

                                                ec054f9103f8f0865604b1e21c82bf51a1aba52d

                                                SHA256

                                                7bb075d235a428bbce66c91bd316d4a36c8ee81ce1d1b62de23017b5635eead7

                                                SHA512

                                                be26e84d48b8bdd5bca6950005332dd128664fc306cd9eade5980c727c140f7beb8866eec7e47a9e76644fc8ea1c86a64cada23bad15f1c4177acb8ef154af62

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                eb5ddd8308487511074cadc85779b6f3

                                                SHA1

                                                0c62e3724ff4aa6755902d90c2d68c37dd70dd6e

                                                SHA256

                                                80b5344addc49e251cde9ddfc09366f023a54011058dd6e27c0e088f119c7da3

                                                SHA512

                                                49d48a679b06b585fd7bf2d5e02612e603f9a31e557a842173f216021c08c5ee1d4aeed451cc69a85047fd71afde1e2db6d91af776d3bc7563ed18d29119a96d

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                8d3f4f575c8b6983ba4150fd5d30f89c

                                                SHA1

                                                cf883a90e2843d886a27dc32e47a1401bf41ffaf

                                                SHA256

                                                80fd27430a2ffde9e52c7b57cbdf4a6acac4bd97eddf34eac9732f64eca69c02

                                                SHA512

                                                fa61a697a8c5bf4bb9129bb979fcfd28db9ca7657d9fb974d7b40509b9a9cbf93c8e8e24b65e472f7132532fa3f8ddaf3321081df68a31c349d286fc3ca5fada

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                904f1b360144a0823887c3039671c6a4

                                                SHA1

                                                2d67090f1b98bba992ad2a5b66d1208a8ad0af10

                                                SHA256

                                                246bdb87188c4a0786c1b074e22417bda329b84a4eaad823fc5498923cb4e2fa

                                                SHA512

                                                7d9bc2140df158debc6972c59c9ef5825bf8bfb2cb7feaca10c33415fb4f7aab98efbf3042a33b726d39195fb063d616b130657d19e5cce51a3c29071be03cd9

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                9587b1f3516b122a5ab729098b538a8d

                                                SHA1

                                                8f837076a074c5a21060410ee148c83c2bc4244f

                                                SHA256

                                                9223d9eea71e22d3a4a0acb0e2d9e9348a0948a76d76e0c6a79cf7a961d878ed

                                                SHA512

                                                e5b4e11bc86581500b51c1484225eeda49730c8f2c398d19a3a25cfde576db363cc5b21a8f329fccd03303c215ce322a18084f83b85dfb2ae911f9e05ddf68d1

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f69127e2c6c13fefe099cac48ae6fda6

                                                SHA1

                                                c73ea0d164b3732c53c76d59aa6abc19e6c445c3

                                                SHA256

                                                c2978cae245b32452b544524adc868e5fc09fce839c20f38bd16890791cd6322

                                                SHA512

                                                0385955ebbe60973394e021735c9e6c12f8a982be85d6601c63a403c00f4aa24aced11f7e718cc5a040a8bae8453d833361c67f26ccb408ebe36b0feb6f3d93b

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                65df7ac816cb878eb10003fd6df2e74c

                                                SHA1

                                                8aaa63b03c517164fcc0d053fbff02942fd66945

                                                SHA256

                                                33b69636d147bfe6a1a2f45f2986d33a72491fb72b9f4c7786a2af7d27e60fdc

                                                SHA512

                                                b441346632fdc21f311eebb6760ff3b33219df483e1111b784b00efb548dddf5624847e2d91c96f350a70b0ca5f683d37415895d69400ba2983a475b018c2786

                                              • C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat

                                                Filesize

                                                239B

                                                MD5

                                                57755f6a2720ed97d363f4b9f985661b

                                                SHA1

                                                aed0c21870ec03b52127e5238d1db2a7e8a8cb01

                                                SHA256

                                                7dba9bc5fe3a1c9e774908c6cebc7a33597001a97ccc8a7ee1a1a43bce664812

                                                SHA512

                                                15e22e2cdb14a84d18f0cddf976ccf665240f68c94d746a4c3b4d5b80078f9211fdb40fb7728eaa6ed782445bae3f608d4571b117bc6d9ec062f131f1aedc265

                                              • C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat

                                                Filesize

                                                239B

                                                MD5

                                                e423725bfb519ba9d0d055bbf6e5ec17

                                                SHA1

                                                f474fa7c3b5a5018600cb159cac17dc9a4562b0b

                                                SHA256

                                                3b85e36001a7a92246025c29fcd3c794720ac3d3d6c96a3ddcf6b932f381fd25

                                                SHA512

                                                57574cb3fe4ca7fa7f7fd278610b2371425bb1494a091b155ba7c31ca9fe0265322dc634f51d7ab041c76f1a8940ac7c7dc073ce0fefadca9da5d84f1c586d53

                                              • C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

                                                Filesize

                                                239B

                                                MD5

                                                3c95991be2c0901a649ce1cc40b35a09

                                                SHA1

                                                4761a44de94729f309ad42b2d92740ece50f2dee

                                                SHA256

                                                55d0db5adf285e9843fd955418045181f05a0f9cec187b833c003ff2948ab2c2

                                                SHA512

                                                4eac758c88599d2d595107a19955693916e0ab45fec14b2330c9d60ac9f695baed29a9dd5e1c509c6dfe45203440c2dfd89e7005729506a02d7e536e432a3b95

                                              • C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat

                                                Filesize

                                                239B

                                                MD5

                                                cd75626aedc3a71186112d818d8ea145

                                                SHA1

                                                8ac78846243c68d6ba54550327f5ebd51d182ff6

                                                SHA256

                                                8223ff2259a9ac5f5c51ad4ba3e4cd92287d7c5b6cf36e92afb7b1c0eab5b736

                                                SHA512

                                                26222704d03cb268867d778d2f3194c78e0d55e7ed4aefb10404fe2b4eb4539e3a8a1ae6fcd665affd2ad93d8b9a6add3d298a317ea3f285cdc185613cbdebf1

                                              • C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

                                                Filesize

                                                239B

                                                MD5

                                                75daffa7070b43e066aff8d5dbb5d1ec

                                                SHA1

                                                dda564608413d45ecc944bbb72991edca2eb0654

                                                SHA256

                                                7a9336f82f298a0e9d6b047227ccae1050905cb8ae7bfb41e96bba6785ce2078

                                                SHA512

                                                a66fbbf2f9b5a7ee7fb53b57cab6c8e0241ddbf5904a4a4ad18043a6ed2e72d0ddf776b04a723eedc6664f94505c0b55f3e7366a884bb53b1a855bb37dd079c2

                                              • C:\Users\Admin\AppData\Local\Temp\CabFE1F.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

                                                Filesize

                                                239B

                                                MD5

                                                3886a4ea7c564461ffaced64f1d23b53

                                                SHA1

                                                206e6521dcdfebb76b90ebd6fc798861f1d11c1e

                                                SHA256

                                                d7c12097e7e23106d569ddec47aeec375bbf0c42c5e40bce41397b6dae1159dd

                                                SHA512

                                                6ffded3374a3f67c911dc79a638fe50e76ba07624a965bdeeabe9a02ad9ec07583ecb887de6e879b104b17a65b6c5a34977a6d362c9a69dd231ad0bc5dd18a5a

                                              • C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

                                                Filesize

                                                239B

                                                MD5

                                                39f54e6ae46e5db34e7a3eb06836f0bb

                                                SHA1

                                                085f8d1a71068e3b7a35463f50d389a7fffe81df

                                                SHA256

                                                3d7ebc2fcc70909a60094e8ca6851eacb2fde534c01496c64e79893d2c1b44c8

                                                SHA512

                                                6c4fe74de8502e8f2d2af7461a779c2052bbd39c35d5e6c62a8cf95fb2135ab2a79405cfb2395614d35091e337659c372315dfa1bb79b5b6b12bd2de1a416382

                                              • C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

                                                Filesize

                                                239B

                                                MD5

                                                c9c982649f4518d62b141ab32d962c4e

                                                SHA1

                                                688a71064dd0befdc8b282d0f5ac0191ff6f1bfa

                                                SHA256

                                                bd5132ea562ad80e02d77838037f7e4e3da09c607362f9b9d849fa73c66fbac8

                                                SHA512

                                                f52a0a408599bdf5efb34f5aaa8a09a0550c1198e5f42525ff0cbc79f8ca5fabe7240a2a6d62b0209a6fd2c569fc6c5dbf5a88a87ce6f97b795e8184bb93fe5e

                                              • C:\Users\Admin\AppData\Local\Temp\TarFE32.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

                                                Filesize

                                                239B

                                                MD5

                                                8a54aa73c41dfc71a2b90af5a39a8954

                                                SHA1

                                                66d6fc07abf03b94564afee24e15a5878de5ff7a

                                                SHA256

                                                43e0b13717cccb47514a28fe819b28e31b53c16271909eb4296a461273b949bc

                                                SHA512

                                                4e14b40ffc737dfeba181dd9ee1fb70c7f929e00c5e489143bdca9419d54aae93a18a47fc878028195fc5783dc4747b6f6aab192f0735f7c9eb6a097e0c80a61

                                              • C:\Users\Admin\AppData\Local\Temp\wRhF7PcXPa.bat

                                                Filesize

                                                239B

                                                MD5

                                                2a57b80c21282eb11be9669ee7427d91

                                                SHA1

                                                7dd0f7ec5f5ff73480ea5522c91fc02806bd2686

                                                SHA256

                                                b1d3057e59f2eb5ac4340e4f744b7dc0b8b5b940be0df473daf2a9a532980ec0

                                                SHA512

                                                e1c9a354e9f2bf4ed15d78096878231a857c5af9916d5dc6bcd5f1da09a35a71dbe58dc60a2e4d9a1bdf1643ca6f8f20d285d18af38cd190fba20966ec13b80f

                                              • C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

                                                Filesize

                                                239B

                                                MD5

                                                57c3b47d228a5a8606389f90755358f4

                                                SHA1

                                                746646c1aa0cb0f6cafad964dd4d6936f198c8cf

                                                SHA256

                                                cae17be391de02ec921c4607af0a1495c9712053ace85d8c3184bab16efb7250

                                                SHA512

                                                a8cfb362cedba6df8384b34495b9285a9be898a609061766613056256373ad1a0c6a11019f7985303ed9c305b82ce954cf399ae69c5fa06fc4df57fab4dc74e4

                                              • C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

                                                Filesize

                                                239B

                                                MD5

                                                5b6e11ee97974e61d6661407757e6d1c

                                                SHA1

                                                7b961b4107cf080cd2cf307327522480d582c761

                                                SHA256

                                                ee2926c98c6e312a5463e63ca7f621d8d3bcbd8542e21256aaa1cdc19ff9eb66

                                                SHA512

                                                03197a2b43ced009b394e36bc9f9df8ff2c423d54a62a47f2398f25b302412911e4007b3fd391770a7e447a5a3c6d32954614e892b5f849642f7e67e38ae6a58

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                34bb004f3fd99e9bd485d92873b724dd

                                                SHA1

                                                e2f6f596eab5f5e08fd101f91b38f008e40fb373

                                                SHA256

                                                bde2560209582e990fc1ea60c1745dae12ce8a288ddd0de9a4e4fdc2ecbaf38e

                                                SHA512

                                                7e2c36efb8854f30682dadaa5fb68afc55cdc1cccfefd917542041b07446107838837c2a3f190d604224a06cd0ce24afb474c879a77caac3861b374d13173829

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/556-57-0x0000000002230000-0x0000000002238000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/824-655-0x0000000000010000-0x0000000000120000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1008-294-0x0000000000070000-0x0000000000180000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1008-295-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1272-355-0x0000000000B50000-0x0000000000C60000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1612-55-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/1624-715-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1680-535-0x0000000000370000-0x0000000000382000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1956-234-0x0000000000F50000-0x0000000001060000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2044-115-0x00000000011C0000-0x00000000012D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2056-174-0x0000000000270000-0x0000000000380000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2156-595-0x0000000000300000-0x0000000000410000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2352-416-0x0000000000310000-0x0000000000322000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2352-415-0x0000000001390000-0x00000000014A0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2760-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2760-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2760-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2760-13-0x0000000000830000-0x0000000000940000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2760-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                                Filesize

                                                48KB