Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:02

General

  • Target

    JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe

  • Size

    1.3MB

  • MD5

    64cae7d041c959ee7545970d9622c85c

  • SHA1

    1cf9db970ac32d19cd3db570ac42739ec3589549

  • SHA256

    6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8

  • SHA512

    4bcf5b15c5213bfc07b19045bcd30c690910f8c1db458bfc284c7b48b055c43be57788409ca83b29cf1c728d5b3c62e0d40b07d30a64b21b6be2805d448c5651

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\acwGy9TwLI.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2544
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4892
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2716
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2360
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5064
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5000
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:816
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4932
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3132
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\unsecapp.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3296
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\upfc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2388
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4596
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\taskhostw.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4604
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3956
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4648
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQLJKLgDif.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5020
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1152
                    • C:\Users\Admin\Templates\upfc.exe
                      "C:\Users\Admin\Templates\upfc.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4320
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4656
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1800
                          • C:\Users\Admin\Templates\upfc.exe
                            "C:\Users\Admin\Templates\upfc.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3292
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3172
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2308
                                • C:\Users\Admin\Templates\upfc.exe
                                  "C:\Users\Admin\Templates\upfc.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4176
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
                                    13⤵
                                      PID:1048
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:4432
                                        • C:\Users\Admin\Templates\upfc.exe
                                          "C:\Users\Admin\Templates\upfc.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3944
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
                                            15⤵
                                              PID:3596
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:4776
                                                • C:\Users\Admin\Templates\upfc.exe
                                                  "C:\Users\Admin\Templates\upfc.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3688
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
                                                    17⤵
                                                      PID:4588
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:2316
                                                        • C:\Users\Admin\Templates\upfc.exe
                                                          "C:\Users\Admin\Templates\upfc.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2688
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
                                                            19⤵
                                                              PID:4248
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:2876
                                                                • C:\Users\Admin\Templates\upfc.exe
                                                                  "C:\Users\Admin\Templates\upfc.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4384
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
                                                                    21⤵
                                                                      PID:2304
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:3196
                                                                        • C:\Users\Admin\Templates\upfc.exe
                                                                          "C:\Users\Admin\Templates\upfc.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:372
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
                                                                            23⤵
                                                                              PID:3292
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:4996
                                                                                • C:\Users\Admin\Templates\upfc.exe
                                                                                  "C:\Users\Admin\Templates\upfc.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4936
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
                                                                                    25⤵
                                                                                      PID:2584
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:1804
                                                                                        • C:\Users\Admin\Templates\upfc.exe
                                                                                          "C:\Users\Admin\Templates\upfc.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5000
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
                                                                                            27⤵
                                                                                              PID:2112
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                28⤵
                                                                                                  PID:3228
                                                                                                • C:\Users\Admin\Templates\upfc.exe
                                                                                                  "C:\Users\Admin\Templates\upfc.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1724
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
                                                                                                    29⤵
                                                                                                      PID:3688
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        30⤵
                                                                                                          PID:2008
                                                                                                        • C:\Users\Admin\Templates\upfc.exe
                                                                                                          "C:\Users\Admin\Templates\upfc.exe"
                                                                                                          30⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3120
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3660
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3004
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2476
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2172
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1916
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3712
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4588
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3188
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1912
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4420
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1572
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3792
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2860
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1144
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2488
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3908
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3592
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4808
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:456
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4328
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1960
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3644
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3320
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:340
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\upfc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\upfc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4828
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\upfc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:820
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3460
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1008
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\taskhostw.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1996
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\taskhostw.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1480
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\taskhostw.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1100
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2924
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3352
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4260
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1720
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5100
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1896

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                7f3c0ae41f0d9ae10a8985a2c327b8fb

                                                SHA1

                                                d58622bf6b5071beacf3b35bb505bde2000983e3

                                                SHA256

                                                519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                                SHA512

                                                8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                baf55b95da4a601229647f25dad12878

                                                SHA1

                                                abc16954ebfd213733c4493fc1910164d825cac8

                                                SHA256

                                                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                SHA512

                                                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                9078a011b49db705765cff4b845368b0

                                                SHA1

                                                533576940a2780b894e1ae46b17d2f4224051b77

                                                SHA256

                                                c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

                                                SHA512

                                                48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                63aec5618613b4be6bd15b82345a971e

                                                SHA1

                                                cf3df18b2ed2b082a513dd53e55afb720cefe40e

                                                SHA256

                                                f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

                                                SHA512

                                                a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                3bdf0f0bc4de32a6f32ecb8a32ba5df1

                                                SHA1

                                                900c6a905984e5e16f3efe01ce2b2cc725fc64f1

                                                SHA256

                                                c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

                                                SHA512

                                                680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                f6b3d4e1d55a23aa90f349b5ab1c09fc

                                                SHA1

                                                dba3c70c207a178d683259de384d1901f54584c9

                                                SHA256

                                                218a5897b7018b9a15c3a7bad4b4342225f109337c69478fd3515511533eab43

                                                SHA512

                                                729cf1c583f559d5e4658b304bac8f748e6cb28d4f21a587015d12e0608ceb2f265b89925ab568f2a424b4b681dddafda911bd0af975cccb4d360520e7d6c311

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                66c1af19164d3b08179f388a26c2bde9

                                                SHA1

                                                599bb2101a033126bc82001419b94a3467fe86f2

                                                SHA256

                                                48950437c36bb693eae5049f0eef84824d76169e0cd736590b401b0713be3b30

                                                SHA512

                                                5b575918813e354824c07ac91ea7c1fb121d903065d1f2cab92393ae215825b1392c50f8658a5c482c6a1fdd9922b1f29f9f34fe53a584169285cbe0ea10a17b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                705e397ba2c670b0b9fcebdd31e0feea

                                                SHA1

                                                8566fe7e0903b7495e659ba0588b72e3ce538c3b

                                                SHA256

                                                ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

                                                SHA512

                                                a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                6d42b6da621e8df5674e26b799c8e2aa

                                                SHA1

                                                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                SHA256

                                                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                SHA512

                                                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                              • C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

                                                Filesize

                                                198B

                                                MD5

                                                02bba37c51ac364c41d13a8561647808

                                                SHA1

                                                ac882e909992054d245626af05556274f643b61a

                                                SHA256

                                                17e1593cf23412a9e16f725aef53a28582a449dbf6135bc5ff0b9d0b180bf77a

                                                SHA512

                                                4e87029a13e12d991cd67c07d533f240508543b673e2f88848afb0917efb1d46ebcaa468f76e8582398bee4bb4cc7f31399d3c3e6bc4cbee6153ad1310a1d06d

                                              • C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

                                                Filesize

                                                198B

                                                MD5

                                                7ae673a212108e10140af173f61ff012

                                                SHA1

                                                b6fe486ea95b3de5a2ee786e23f0ea790a04473f

                                                SHA256

                                                165ba09841ad6670b273f0cff507a7f2296fd92138cd09c055ecb91a4c05f880

                                                SHA512

                                                d703fc2527dcca0dfbe2b19026cbfb05c51885514018e01889694b3e947fd923a9908adb310a42ea8107329e4f145f5066bdfc86d4193fce7ec35f5996f81031

                                              • C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

                                                Filesize

                                                198B

                                                MD5

                                                5ffebd91aa1cf3dbf0d49f59d58941e6

                                                SHA1

                                                8fa68c9082e936a09b2b61625c48771ba6e8952c

                                                SHA256

                                                f58d7ea5615d556821925a6e74e4adc5e1e1eee38b33078e31c5d7db0558e355

                                                SHA512

                                                ebce278c5a1fa822b00852592ec7485a3407b92e41d29c8f5bfa80f02574fbd0f2d5165b57875e869cfbb642f52e3d7635e425c9bd9f15f864f6d635ff4df75d

                                              • C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

                                                Filesize

                                                198B

                                                MD5

                                                9a053a28f3af1859af3fad27c1a060ee

                                                SHA1

                                                1a486c8cd542407a17ee4ae737ed7e8edc6059f4

                                                SHA256

                                                d803e5e47f280d48a19d3fc5153505355b86f3b53147eefb65cf4044da50a279

                                                SHA512

                                                d60a2131a5493160efa1490fd46e7bc5b93336efa45e3e9850619457df86d90dd0b6d790e4ba95038cf5e627def6896ebd02e77e54c2cd05b1baeae3b65005fd

                                              • C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

                                                Filesize

                                                198B

                                                MD5

                                                990d6819939e15badcd7e4993f4724c1

                                                SHA1

                                                30ae87a6166d743846a9ac80928ca29a859683c7

                                                SHA256

                                                523cec64d63df91d47b3bf45363a872fa0590e287bf03ed58c3821fde2d99396

                                                SHA512

                                                ee2e7dd2186e3aaad2d758a75b688e8c8179668f5dae4941c6fa4be80adee581c64a488f0aec14be9982d8e597526a90a506b8f0fce049968d7a016801c430fa

                                              • C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

                                                Filesize

                                                198B

                                                MD5

                                                a605ac163cdf844a8e7ec76cfff4ea08

                                                SHA1

                                                590a0ecb98d6995c783976d567250ccf4e96eb3a

                                                SHA256

                                                a38957d3accb4b906332b42529c2dd8c24cf67301906171c74f2f41a0ddb7c73

                                                SHA512

                                                6810fd7fa222d5305574ea93e8ccea7260370d12454c9c52e791f68a8bc60a6763bcfea995dfb16e7ea8c2af559a49b8afebfee440c9690f09a39fbab4ddc354

                                              • C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

                                                Filesize

                                                198B

                                                MD5

                                                517ee5214aa6f20a91e60380b52d840c

                                                SHA1

                                                7270d008b9849495c78a03a186dfa4406f586b7d

                                                SHA256

                                                91ca12bee3fd2c02a6f27c785619dce1ce6406798c92db319c4bcf5b77681f7d

                                                SHA512

                                                4a74aaa31871ad3312bf7c6defd14238a3452ccc09f2371e5ced6a0105e53513c8a3dc4273fff84109d3f1ae2b9309da8095cb8d645f808b26c01872b1e23b46

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxkmeyne.xqb.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Local\Temp\acwGy9TwLI.bat

                                                Filesize

                                                199B

                                                MD5

                                                7ab4e3b493667ed7ce34be3086383e62

                                                SHA1

                                                f5180490aa0b2de597e6adfbd40c776f336a8462

                                                SHA256

                                                91dad9daa45fae5cf480b25b06016f9386daa439c07b596e61df1e308a78d6d1

                                                SHA512

                                                25cb625ee138ce1e8d9bb20f386f134bcc3e56fbc8032d601be71e49699f86a77ee785496f0974ebacbe7a78aec99fe748f7a1a5b5691292e29f9b0a6d6ed196

                                              • C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

                                                Filesize

                                                198B

                                                MD5

                                                134dd03ffe421bbb708555ff250e76e0

                                                SHA1

                                                8acdbdaa2938994d74d2a549741151e2493f1992

                                                SHA256

                                                0d0dfa9976254457debc235c3cfdd254929ec701481775df4dd1b1a6fefc926a

                                                SHA512

                                                5393e0cbd2f727c921cd91bdef36f3b03417ebb6ea8273514eee4b31f5f9d0576c0334bc6b7ac47e65d21035041a153398c1180f89c08f63f8dee184e91a517e

                                              • C:\Users\Admin\AppData\Local\Temp\gQLJKLgDif.bat

                                                Filesize

                                                198B

                                                MD5

                                                5c7e91ab22aa37cbc920d3ba1d2127fd

                                                SHA1

                                                2b85a38ee2a421a9c473fb50fe0585ac68123ef9

                                                SHA256

                                                3ecafa389d4c7216a5b6f110e69993a9e85a9fd0148ad1d7923bf8175b28bb58

                                                SHA512

                                                2a2682e59a592d199e02fd187210bdc7d7eae5e41641342e7b1b7d34cb76d62ef35f6d33f71a392d00caa0c270139c08882133d0b3627f4294a3b355c553ab59

                                              • C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

                                                Filesize

                                                198B

                                                MD5

                                                9428216f55103827db5f16018ac0b84e

                                                SHA1

                                                cfdf9e22ed61fb29b9ea2d1ba4ca28b8d23f2a2f

                                                SHA256

                                                511fc5b7dad6d0cfcf39670b046f6f7d9f9613c2fe739067862c525bd2a44715

                                                SHA512

                                                c0a586780e91f58e471594415401457d5985a64537fafd1b88b7de0742c45387adb7c5cd3ac66a0c5b3eb73a409a24b9e5ba4faab2a325a987bcf6748ff98f9a

                                              • C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

                                                Filesize

                                                198B

                                                MD5

                                                14a5943f512cbe48810927493c218c59

                                                SHA1

                                                2d1fc60226c00e4ae9edad1823fcfa907f74d0ec

                                                SHA256

                                                d3ebd03e8cb863c991d67bd6168fa8be797539aed10330afdb83d2908ceb1df9

                                                SHA512

                                                c01ec6e0e4451e4c8fe107334411825388ef0b2571991b83cff127ccb240577863c141fdeb041ea12179988c9c9adc1ed61feb06f57212e4f8022d1ef5983d11

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/2180-36-0x00000267F2BE0000-0x00000267F2C02000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/2716-65-0x00000000009E0000-0x00000000009F2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/3120-297-0x0000000000F60000-0x0000000000F72000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/3516-17-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3516-12-0x00007FFF70303000-0x00007FFF70305000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/3516-13-0x0000000000A60000-0x0000000000B70000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/3516-14-0x000000001B770000-0x000000001B782000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/3516-15-0x000000001B780000-0x000000001B78C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3516-16-0x000000001B790000-0x000000001B79C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4384-266-0x0000000002F90000-0x0000000002FA2000-memory.dmp

                                                Filesize

                                                72KB