Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:31

General

  • Target

    JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe

  • Size

    1.3MB

  • MD5

    b2b879fa7242ede0a01b6865ca28e841

  • SHA1

    4fbd613e93e66cf7dcee2b7ae1c5c242ef24cdb0

  • SHA256

    8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa

  • SHA512

    a599ad89d5718ca7f13491041052dd88bc158e752007de71067ff570dba7d94156c57c374a08994145b800e26d8a64d2c1db2ccbefff16e391e708e326b53b30

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:820
          • C:\Users\Default User\services.exe
            "C:\Users\Default User\services.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2212
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
              6⤵
                PID:1484
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1480
                  • C:\Users\Default User\services.exe
                    "C:\Users\Default User\services.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1028
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
                      8⤵
                        PID:1052
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2148
                          • C:\Users\Default User\services.exe
                            "C:\Users\Default User\services.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2476
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
                              10⤵
                                PID:2636
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:1728
                                  • C:\Users\Default User\services.exe
                                    "C:\Users\Default User\services.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1076
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
                                      12⤵
                                        PID:1724
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2092
                                          • C:\Users\Default User\services.exe
                                            "C:\Users\Default User\services.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3052
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
                                              14⤵
                                                PID:700
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1068
                                                  • C:\Users\Default User\services.exe
                                                    "C:\Users\Default User\services.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2568
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
                                                      16⤵
                                                        PID:1968
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2476
                                                          • C:\Users\Default User\services.exe
                                                            "C:\Users\Default User\services.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1728
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
                                                              18⤵
                                                                PID:3008
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2152
                                                                  • C:\Users\Default User\services.exe
                                                                    "C:\Users\Default User\services.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2992
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
                                                                      20⤵
                                                                        PID:1364
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:2932
                                                                          • C:\Users\Default User\services.exe
                                                                            "C:\Users\Default User\services.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2400
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
                                                                              22⤵
                                                                                PID:2744
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1004
                                                                                  • C:\Users\Default User\services.exe
                                                                                    "C:\Users\Default User\services.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2568
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
                                                                                      24⤵
                                                                                        PID:2260
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2216
                                                                                          • C:\Users\Default User\services.exe
                                                                                            "C:\Users\Default User\services.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2464
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
                                                                                              26⤵
                                                                                                PID:2532
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:2024
                                                                                                  • C:\Users\Default User\services.exe
                                                                                                    "C:\Users\Default User\services.exe"
                                                                                                    27⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1752
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
                                                                                                      28⤵
                                                                                                        PID:2528
                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                          29⤵
                                                                                                            PID:2520
                                                                                                          • C:\Users\Default User\services.exe
                                                                                                            "C:\Users\Default User\services.exe"
                                                                                                            29⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2124
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2964
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2724
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2712
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1920
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2688
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2720
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2336
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1356
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2136
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\cmd.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1076
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2344
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1504
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2748
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1876
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2148
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1336
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1724
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:340
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\wininit.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2980
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Setup\State\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2560
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2728
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2260
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2252
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2456
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1480
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1672
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:408
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1096
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:912
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:852
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1364
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:632
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1028
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1240
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1288
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1700
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3052
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1820
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1544
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1796
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1612
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:536
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2612
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2912
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1508
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1044
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2504
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1600
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3044
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2388
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2360

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    4ce1674d5c98e8e39e04d8dde2a2dca8

                                                    SHA1

                                                    915fab0c352fb2bc5a6ea0c3163d9a975959dfd1

                                                    SHA256

                                                    4746b3f5ca9c3fe81762802512be531398b04206e3efbca22bc25bef4d79710e

                                                    SHA512

                                                    2216f2a220526a0dd12da76fff0529a6016e0dd8f6a3fffb86a34ef48d64ff82dbeeaede5ed2c1ee1c690fcab2e6b8bdfc059c0e666197d4f7a8bed40833837f

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    ba86ed7b05734073fd5b968b98467c9d

                                                    SHA1

                                                    56ea6bdd088ff9ae3162735e6b81f9d462cc666e

                                                    SHA256

                                                    8beae219590162a119e5412a3a0f5fb9f3d6168f7369de87630b2492e24b2e01

                                                    SHA512

                                                    5a4cf2159e0e23a6f29ad73ebbe7947d90f567554aa1a537a34786b4c819df0f692c967b380eb3bc874cb8406fd78e31b6bc581c15c262ff1def17502eb053ab

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    840e2e84b7bc2951f3e9cbeaaff778fe

                                                    SHA1

                                                    1ec90caf1a7f3fd7d4c8d7db7260c3272d3dce63

                                                    SHA256

                                                    52c135b21906d3671d81d3907e7c948d043807198b3c48f9553a5a87e5097c47

                                                    SHA512

                                                    01cbdcd478086918bc1d46b1ab6a192b485a7d1c7a52a3631e996d656a0863105205b57b94bc65bbd498c3a759978002982604a256bf99aaf75c764f7f49e057

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    2ed9bccba39958f8d036e4dbce44e6be

                                                    SHA1

                                                    cf5f58fbf4fe24277b23969cc205e630a080d25b

                                                    SHA256

                                                    a184a9fc5db603557bd64b4a867e9c260d72e58810aa702684e0fd2c08bfb7bd

                                                    SHA512

                                                    f6b3b7e820ff8118e2c4d7603f5eda82486b955eabb0b1d7fc7902e79546fff17e46696b1b233c9189dc607f77e65b88b80c3c0453a73ab340d20e9d96250e41

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    e28abeb8a76a1b66bf968bd85141eb7d

                                                    SHA1

                                                    27831b0df15c83991a67a4d7ce42748cfd8f4df4

                                                    SHA256

                                                    399ad964a815bb6d77bc519aeb5a7a6415e114d94ba8e2467d574f365ef61deb

                                                    SHA512

                                                    9fdcf21bb6d6dd16a4b80a1bbccd0a2d8b5ab92ebb111b26c216f824c4990c23d50f57c836dc1ebf4e920b55ad9bc7f45d0f788cf97d4fd550f2e4565ae7663a

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    090c6ce9a9c0dc49c2448ba1b191ab75

                                                    SHA1

                                                    5836629a45860b9057135d13413429072b3b33b6

                                                    SHA256

                                                    88d346c74e4a1937b6f48b8ea60855591a53cf05cabbead72f56fde83e0dfd69

                                                    SHA512

                                                    d90ce6abba9ad5136ed3cd64fabc08a96c19b8a59daad3e3ac66027a4c7dc7cbec3f68f87433689df6bc50b400bbe6a7fd91d1454e42234e334357ed249c4cba

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    dbb85c78a89cb8f81ee345151ede384d

                                                    SHA1

                                                    ec99be69a312af3b494556ec90176ce518a896f9

                                                    SHA256

                                                    b1f2569261bfa24f955db5190643818991b155f749d488f8e2103504c968f0bc

                                                    SHA512

                                                    16a00f4da480890b4238bedc6635b536e3be612299098b46e649f1670d05de832895ea2de32d01dccea9dc3927e0919eb1d111816d3f6cd69c211a62f883b4f3

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    ae1a992f853b7a48bfd6ee0a2b0817c6

                                                    SHA1

                                                    b0d2802f0086a67e8aedb67d56f59382b2352598

                                                    SHA256

                                                    414b946f3fe541958897df4c260badb613b40806dff7f10788369925037b7357

                                                    SHA512

                                                    dcf2909f4eb8600d1402773111ee3eb78984d8f5a6a96be5171d7f2138e9b712640c63ad5aa5cde2cb8cc7f70f2ea19b3871f25e397f5daf9b6851329bb487a1

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    b776e4c83176a18f781dec320674a1eb

                                                    SHA1

                                                    0587b38e8d8424ae4449e3b4725d14c59757d518

                                                    SHA256

                                                    9c67315bbf715e70f732a224643371e8e6034118f7d3419767467977c92dbc21

                                                    SHA512

                                                    685f4da4f93cbaca2b39a88024f523af657ad0016a3d7a4eb07113bb86a5adc88602b62d4d9afb682075ce7e274d6e05c5a85805ecf262d1af84072d37045d1b

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    bdc2dadbf42b1bf07c9eb3fae852acb0

                                                    SHA1

                                                    2d80893092206d711a1669ada2de4cb0c96a18fc

                                                    SHA256

                                                    4b8bebd6f39f255d7f094547290269ad1cdc809b4ca354948790acf78f730221

                                                    SHA512

                                                    ef1c86b03a024ff8e8bbd830a5315ae29cdc11bd9060c940e86a51906ff70e48b414ef1fb1986a48c9cf0ec218fccad5712b8d66f874633f5bac205aff3c1de9

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    3ef0c914d70efcc0272fb0e58267c357

                                                    SHA1

                                                    58348e265fc09986dbb5fd66d762244d3bef34d3

                                                    SHA256

                                                    518abc965c74f7f257013adf95486a4aaa75d735bc4ef40a5e9ae6499bcd424d

                                                    SHA512

                                                    b1cfb4c83dae3da123d224e6de3716190fd255b4b7c7a37125aef8ffede7fa9a8fbb98f58678a456e35c7cd8598da19d18e908a445027281368b36ac39d853d2

                                                  • C:\Users\Admin\AppData\Local\Temp\CabE7E1.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    1e133599b5530089c5d8208e2ca1d819

                                                    SHA1

                                                    7a172570daf92262bc43984eff5d71e8f1b6fa41

                                                    SHA256

                                                    e4620203ef06a5c872eeee40f613a647c14bf06f2e76a5c2b1602e2b5f49258c

                                                    SHA512

                                                    a0baa48a77da71f6aad40573d530e314634afe26312093ba2e89fd83869b6e32d05e704d619bff30d3b9d3e582c6baf837cbc6362e25acd965da791f64b6958d

                                                  • C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    e58d825e875c7c668cf6a9407c6f9263

                                                    SHA1

                                                    b68f8f2627ed9c0a4d7d259d40c83c4b05d0efae

                                                    SHA256

                                                    15f208ce3935806e3a4487549e102155bbe30a0dedb74c02849efc0284a4b5d5

                                                    SHA512

                                                    57017fc11ed24de7a9644be943ef145192987a0f8914b94d6700fbc6f35bb21a9be15cc4a813b7242c32903d5cc28003e8d155095700beb2ab6472512382cc69

                                                  • C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    d667d452335fe6ce4a04a636e6390807

                                                    SHA1

                                                    e4fcce2da04c183dbae2b42cf57ecfa4fd3ecb88

                                                    SHA256

                                                    576d2e3bd77cffac7036fe178ab2f6465f572f3ff648aebef513fc17fc01a7bd

                                                    SHA512

                                                    2a7c91f76ba5cc08e583b616db27a4fc37176789039d34291c7a14b506dc33ea06a3770622e321ac4e55a58335a07b70b630fbd76c048ef1ebfc917dbd1eb974

                                                  • C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    0077f1077b7c081a52e9c080d44c2f33

                                                    SHA1

                                                    a8fc2b95f8fb4174517ff4cefe54663fdd35e839

                                                    SHA256

                                                    4492f8762922e0650affa873af353baf4e4e10673120797c62a4cff8d3320059

                                                    SHA512

                                                    8e048bace54ec4c9270c2c62a63d4e7d277b53a4716a8ada39b76343dc1537131f703cf7c215a7dda2248299b3a63cd46cdbc126b173fb225ba826dd10512c78

                                                  • C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    c0b0ef910e1410f97c3d374bd343c52e

                                                    SHA1

                                                    c83ec209329446b2b96486db359b62a8783e8ec9

                                                    SHA256

                                                    56eafecb0fa50bd70d3bbeac3d2e516e69e9a540ef7935d910a6da46397798e7

                                                    SHA512

                                                    4085a3e6db893bb18cd1dfb9d64968d6e329e806b750c494026a9eca80fc4fbd59ad0fdcf926b58f4fe85b1e4d1888ab1dbdb76a69e95f04bd9efdb9d840eed0

                                                  • C:\Users\Admin\AppData\Local\Temp\TarE832.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    7e7870eaea70c974002ad74bd9a83806

                                                    SHA1

                                                    3c4505489b12eaef0685974045e977936959127c

                                                    SHA256

                                                    4c230de684e425bce62e9aa76364cde5ca0ba3a1acaf62567dfb86150ef3e9a8

                                                    SHA512

                                                    3206693f87f84ce930802fc8b7d787b79134b54c0f1f42bcc61842b115045baf27b7d944228af1a59e6e86056f5a0b918c543dc580bbd2a499e55b88fd04425e

                                                  • C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    0d4db9e3fabbaf0561b76361578a4c96

                                                    SHA1

                                                    deabf29927190751a5752816c790a14bd028fe9d

                                                    SHA256

                                                    a5201b1ed781241962adbdb02f8f9c26ad0a6cebef956c2f3e7436658203d839

                                                    SHA512

                                                    1d7b162b7385d0bc2adea6f47e5fc943274a122893e16c0ab7b9890b3a57b783dae2657c2746009160e188a32cc96ba4bd199adc5ed68f86a38d5efd95675641

                                                  • C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    6bcdf532a9d59c8187cf955d7db257bf

                                                    SHA1

                                                    8d6ed4dfe9b7dcc39ef73900aabc5a81ff288962

                                                    SHA256

                                                    a4b828852cc09abbc2b9af7f9fa996b415cb3edd16c3633f1be0dac75a3dae47

                                                    SHA512

                                                    7d96569775e0c9e4d8afd1ae9a50d2901da95335566919b0f6c029a2bf3f75bb4d73a695265e20ae8125a7cea022ff1f70613e5f1eeef1a8f02ec22023237b4c

                                                  • C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    2655b0d498b50ce06d1a36d1433d5898

                                                    SHA1

                                                    c3aef92e14aa625352ceb07b9428d7245db85956

                                                    SHA256

                                                    ce573d9499b01387b585c0b706be79297c304edfae519e685d139bbdb881fef0

                                                    SHA512

                                                    df1a8a8f0100a21d29f477f1cb96bc4007322d43c9fa58872537298603f448192aa53917e560ad456179e77bad3e343af9133f4404ebff007d2c912917552372

                                                  • C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    b73a1f80e4a3fc8b29836497e12983a2

                                                    SHA1

                                                    669707b7ca273f139c5ea149bd401db5490e746d

                                                    SHA256

                                                    1ccb64cfaef861687652d427ecc48766a7c04b82441b1816239547a67e05ed56

                                                    SHA512

                                                    7d88083b452d580d46a2bf28c6d57e2477dad5a4c7337b5bea8062b26e45cd40f7c7d96e87ec81c92549d9612e5663430a7a882bef3348fd4941eec9d1279d32

                                                  • C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    804e7643ee2392c28eb191439fb4796e

                                                    SHA1

                                                    8425eae862e1a83560c8e5fb8b6fe59813fda70e

                                                    SHA256

                                                    ed08d619a6532ed2584d54758d2b38ad69eaa21305fce491dde98ca01331ccf4

                                                    SHA512

                                                    0ce7ec3d132c8ba40eef3a26dbe6a4d0c0c84366cfd725d2de660f9131bb8a2b1606606a45b13e83b2d27369e051ae7c1df2e3aa3ef3f2cf2549e4987535a756

                                                  • C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    452a2e20a27f27482a2a21d43a946f3c

                                                    SHA1

                                                    cbb9586d50bfb91150eee066cf1acb9564985d30

                                                    SHA256

                                                    81a7e8d0899c8d85b2c56ba179f03a3e70ee21b655454ba1ab2e1db00b18099d

                                                    SHA512

                                                    8f1c4d4ea18d450efcb2b585058e06ed4d2866aa8a2963df6f1fc14d2fd879dfee958d3e80c304b75f018573f2082741249ba85f8e56908441d4384f5d871065

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    b47178d3226ef8c74367df6bbdc12372

                                                    SHA1

                                                    6225ae2a774e9019215cadebf9f3b9e1063406a4

                                                    SHA256

                                                    74d6d3b0ad9ada6ab2706428098f89422dbeb8a8d48d311db7bbc5c91cd8ecdf

                                                    SHA512

                                                    c042085ee42961146eba44e1e692d15ed4bba80e8089ca906072f9dd0e553174e9f4fb6b94f0f450150284bf75e8c5b48a0c128472ee894224bd942a34556118

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/1076-310-0x00000000012A0000-0x00000000013B0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1728-488-0x00000000003B0000-0x00000000003C2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1752-789-0x0000000000090000-0x00000000001A0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2056-13-0x00000000000F0000-0x0000000000200000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2056-17-0x0000000000280000-0x000000000028C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2056-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2056-16-0x0000000000270000-0x000000000027C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2056-15-0x0000000000260000-0x000000000026C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2124-849-0x0000000000C80000-0x0000000000D90000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2212-69-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2400-608-0x0000000000100000-0x0000000000210000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2464-728-0x0000000001380000-0x0000000001490000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2464-729-0x0000000000350000-0x0000000000362000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2476-250-0x0000000001160000-0x0000000001270000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2568-668-0x0000000000E60000-0x0000000000F70000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2704-87-0x0000000001E60000-0x0000000001E68000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2796-75-0x0000000001F00000-0x0000000001F08000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2796-74-0x000000001B760000-0x000000001BA42000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/2992-548-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                                    Filesize

                                                    1.1MB