Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:43

General

  • Target

    JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe

  • Size

    1.3MB

  • MD5

    af97c7cb6f68b54d290f6505d168790d

  • SHA1

    d947292a9d35d50ecfacb8169cb08e093fcb9d4f

  • SHA256

    fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b

  • SHA512

    4e6014a9c2d20fddfe70c49707e787c55c857a0ecbc8e1ab3b81f62b9da9f998eb98453bd9c634e71c8e1fa9eee073926108ed265d4926ce04b52284235e6bc5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Users\Public\Favorites\WmiPrvSE.exe
            "C:\Users\Public\Favorites\WmiPrvSE.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:544
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"
              6⤵
                PID:1888
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:748
                  • C:\Users\Public\Favorites\WmiPrvSE.exe
                    "C:\Users\Public\Favorites\WmiPrvSE.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2452
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
                      8⤵
                        PID:444
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2676
                          • C:\Users\Public\Favorites\WmiPrvSE.exe
                            "C:\Users\Public\Favorites\WmiPrvSE.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:692
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
                              10⤵
                                PID:2796
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:1676
                                  • C:\Users\Public\Favorites\WmiPrvSE.exe
                                    "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2016
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
                                      12⤵
                                        PID:544
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:748
                                          • C:\Users\Public\Favorites\WmiPrvSE.exe
                                            "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2832
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
                                              14⤵
                                                PID:2452
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2560
                                                  • C:\Users\Public\Favorites\WmiPrvSE.exe
                                                    "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2224
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
                                                      16⤵
                                                        PID:704
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2924
                                                          • C:\Users\Public\Favorites\WmiPrvSE.exe
                                                            "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2028
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
                                                              18⤵
                                                                PID:2896
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:540
                                                                  • C:\Users\Public\Favorites\WmiPrvSE.exe
                                                                    "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1368
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
                                                                      20⤵
                                                                        PID:2416
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:800
                                                                          • C:\Users\Public\Favorites\WmiPrvSE.exe
                                                                            "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2500
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
                                                                              22⤵
                                                                                PID:2080
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1540
                                                                                  • C:\Users\Public\Favorites\WmiPrvSE.exe
                                                                                    "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2700
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                                                                                      24⤵
                                                                                        PID:1728
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:1700
                                                                                          • C:\Users\Public\Favorites\WmiPrvSE.exe
                                                                                            "C:\Users\Public\Favorites\WmiPrvSE.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2700
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1624
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1292
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2016
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2484
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2228
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2184
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2412
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1100
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1524
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1740
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1976
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:748
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2460
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2356
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2976
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2444

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  78929b7f8c5ee97352554f1bbb8c3b0b

                                                  SHA1

                                                  18e9b20888085afb6d665ec382f143611ac94ca0

                                                  SHA256

                                                  abadd1773dfe8a34ec29623d5dd19b923eddf410e0da9be21456b09a4c61aa84

                                                  SHA512

                                                  d86d74e26267a2c82c81385bf525a73e4ad70d547b19be61bde09697a9b7257757fec20e7bd8823af44df35098f2f54bbcbbdd227bdac9d805430837f2ca35d4

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  2fa2b7bf72f1e88928016804ccefdde9

                                                  SHA1

                                                  c4696e19d554d0e5533fc38f3187c04d47c68688

                                                  SHA256

                                                  f97781c2bc5a81378794d9d71adae82c40c5f20eee598cf599925c51fc710a65

                                                  SHA512

                                                  a99cba73c41bee2e49c4860de48ba7195b32cfd66e5480c4fed31e4d62c6c639e316803580090cf0d2a889e692333778b97d2997c3ba3b40979c89059a0d8117

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  b37c7681264b6c9496b2428760e3641a

                                                  SHA1

                                                  5f7f299c04ed6f79939fa2a068599135c094bb30

                                                  SHA256

                                                  45dd5a3239879cae318dcf0b665c77112b1f123f2742d216abb99c49a74656b9

                                                  SHA512

                                                  6dedd876c960d16c2087621ce7f36af56e779e1390d42ba2ce6177f479e4315d09c088e5f509abb7c8cd152d303f56a5d688ade7ca5eaf41e14a57465c987d3f

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e0d4c589dee72b02d6662f51bc6b6cde

                                                  SHA1

                                                  bc72f1ff323d66b49de06cf7b56c86926709c94c

                                                  SHA256

                                                  39856c27d31cda196b82955831eb99430606ad9f834d1827fb63b4db9ec3d3f8

                                                  SHA512

                                                  ce58178ca27e2649ae4f7c133032e31e570dfc1f62294d8a067915afdb5cc27634dd03605a3bb998fbed88aaf1e23f5ca13f30e2d2360db5632d6eef6fe1c660

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  c64ad84c4eab3fe0651330a265bdcb72

                                                  SHA1

                                                  9c1762129cea96c58713a199755243b93bec55a9

                                                  SHA256

                                                  195a877fb0eb14761cef9f256425b0510fd62ca80a6981001d874228d7eb8080

                                                  SHA512

                                                  ac47f233435180de964386ba94c46ea9f34afad3fdb3d07860de56666cfc06101013c480b33d5875f108e7ff97d2f89ce2be61921d9f109500bd489850f643a2

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  918b6e6edc79daa3d3e9881af5fc1a4c

                                                  SHA1

                                                  9aa5b376bc289ad145064df079338b2fad980655

                                                  SHA256

                                                  f4f16044ee1920f5850a2fb242d8e825fd3a488447d81e5f932d7958a438cd36

                                                  SHA512

                                                  3cbc9b54ad64d79d0ea805c99c83fe67b5a3ce144fc4ca035d1422ba3426a70eb42d848165213619a7ef6c01a895b527c015f6bacf6051c7ab5b1ca7d5bdc77b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  00582bf29380336b81c5c4e0105022de

                                                  SHA1

                                                  628e5550b7fe8d385c1a64699636c49266eda673

                                                  SHA256

                                                  b212ef46cfdac7beb955c1e61f783834bde4b327443671fef977cf6483afb5a3

                                                  SHA512

                                                  e2c21d29c1c2f9bf95972b87bbb92c3bbc1bc56305c1ebe1a8b999cb5409b37e4bc69e065bb903be92b739704e31a563983c840f9ad0486d7fd842cba6d83c23

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  d68a35a74cf00bafb5622374682cfc18

                                                  SHA1

                                                  474104f959cc397bb3b5198d5dbd09f73884a24a

                                                  SHA256

                                                  c226e7f83213afd85377144ee3c4d52e4406b9db22a955be9e742167418813eb

                                                  SHA512

                                                  1ff4014cafbeaf22354d14eb09e7acbac764f29141bdf3446695a4be987707abfe1f840963583fb3c87ba2c658c5347b483031177a934d17fe9eae47b8f8454a

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  b174e45a8d35acc56c78989800919d6b

                                                  SHA1

                                                  f21bc8878248651ec9625abdc0bd83564d4f03da

                                                  SHA256

                                                  8d61091b50c03d789f1f873099946927ee9b7aacaf757b23211dad9c990089bd

                                                  SHA512

                                                  e562b0562965734a180b03285adbfe7088dd059edf05eedb3f71a35ff65c4d4e3b708485dd79a340ef447189b136630c588fc2d37a13326efe5c553d41d41a3a

                                                • C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  a18c5bd65af5aa03e1b939adf6aeb55a

                                                  SHA1

                                                  94740d5c6dfff90dc0733728cd7fd6c5222ca9ee

                                                  SHA256

                                                  9cd5397e974d90e4f217103457cfd195a2c468e7057f5dc6bf10b13131ad2578

                                                  SHA512

                                                  556a9dbcb15bc7dd91ec7a7c744ebf5c7675bbdebba4fe75d5f97dc5683906cfffcd6bbb6816df411eb395b4c10e90417fde64fd6dac89604feb1329ba855c36

                                                • C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  8c8b8ffb18965c507bf21c61f53bbcdf

                                                  SHA1

                                                  354b713615fc4c76c154aaf9cccc3669bd5c0f19

                                                  SHA256

                                                  5f4633de4e1ffe965f7f09911455023fa0f240516223a59dcbcf071c3a600b66

                                                  SHA512

                                                  d44237123f638e57e645ddae5aa77468288c9afea1b84b739cd9593cf359046f5288a4f9c02ea5e8c8b4fbc370ae580f0e953dcee1c7940ce708766cb8fb1fc6

                                                • C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  75f5f8ed62bc480da8110cd1c73f17a1

                                                  SHA1

                                                  7c43e281b72b6ab11c6a58a834b5f195de5e82f3

                                                  SHA256

                                                  b8e5347f2bac6059a265bcf151453fcdd0b104573cfcae6dc2cb82cbe434bcfc

                                                  SHA512

                                                  7dac5b54b02ed095950d67361ba1d8142ed9dc7ec155ee00623c5d031668f6882deef72b77a55b6b93afc1e3eaddcb12407c476c2b6e22e4a56403b61b4d4e1c

                                                • C:\Users\Admin\AppData\Local\Temp\CabBBB3.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  55d3d224702b3b4e8b6e16a0ee6e87a3

                                                  SHA1

                                                  347132fd60486892dc7c3205077290e07f8c0db1

                                                  SHA256

                                                  4844380c4e3e79df5e25e5a67654996ff3c8f3cc25fa04da8bafc3507e8d93a4

                                                  SHA512

                                                  47589e4367a57ea325d3f863527e4c35e666515202d1b57cd5e05c1da82a1dffe9d6232707b9e16dd87af3fe71554624f716531e7eb900a249b09c8111fa60d8

                                                • C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  3a7d81a98d38d82dabdf1908b76d28fe

                                                  SHA1

                                                  78be118edaa1afa36635e551aa6516c6eee1f9a9

                                                  SHA256

                                                  bf0728099f2c3c31138bdb5395fb9b9ed2df48b5b15f854b342c123b396f0480

                                                  SHA512

                                                  b1ed3cb79cfe986fb1d7b29b7c13c58bb750e1372616dcd8a380bf3cb0a7fe48cba44517f05b53eaf03cdaece493b4f476e1eb64b0f960a95b3a13c3cf2bfaa9

                                                • C:\Users\Admin\AppData\Local\Temp\TarBBB6.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  9c6a4359e05e50845cfe51f21dd14d00

                                                  SHA1

                                                  a7932f7fb955bbc4169f81ea98861017d2c50db9

                                                  SHA256

                                                  7b47fc487b77c7e362b88e0e561e43c3419b24b607fde509e43eb928a2c2c4db

                                                  SHA512

                                                  f1dd7906ddf32ff2b1629bc039e413ec91d56ee0d06ae8f4bae576822eb121d8db90f1ef5d7fc62d7e7dd84008b2ee7134e56d6800590425c72030de3f64f415

                                                • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  516915faa4e042764d4d720d9a1a28f0

                                                  SHA1

                                                  0d7755677f5a6f489d55b0ed384cd1e2590d5e90

                                                  SHA256

                                                  850ace7d0990fb68b5fbe9c6cb95711c0af7ff9c2fe6e54656a49adf2a05bb2d

                                                  SHA512

                                                  11acd0fea59062df4603b94d2446db7f379d10aaf52d7ff5f8fdeeecf74930fed25eb37c5b3a20581d9c439c9906a0c859f3d58a38d690c5dbf724efc20b0b6c

                                                • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  093abe1d95cdb3998bab2564cc2e1cac

                                                  SHA1

                                                  6541d2801a6e1b031df114624a37e41c40689791

                                                  SHA256

                                                  7767bcee9ed87b643acc08f9da542e3b1972109368078c7f6f81cf6c311549dc

                                                  SHA512

                                                  fde71e329de96fbecfd7391e73deb929c93ecbdd40698968fb586450b3c7ad781d81ebb48e85fc882c65222f6fe7067fe43b0727dcfc28f78eaf5dff4d481840

                                                • C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

                                                  Filesize

                                                  203B

                                                  MD5

                                                  3214b5d1a1d41c0920bf73f0472fdce9

                                                  SHA1

                                                  63aaad6feacf4fa08d60f36d3e6c13670a89bc71

                                                  SHA256

                                                  d1c65c16386c1a51ac50b3ade102aaf2300ee1b0cda9adfdf0a88f9c43a04b76

                                                  SHA512

                                                  7a89254e09a8cefa45406b40da53933ddf6b3d2032857470258a5ee1623dc9250abef34df2d6d2ca5ea04819d504ebda19823e55537cac1812c91fb58da8bacc

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  0a2dbb8f0f138e303da902daa5dbf59a

                                                  SHA1

                                                  40ead8efa38248d53068f9bbb6e33946e24f813d

                                                  SHA256

                                                  58263821c076998c7f515d4b3f97ca25249b260c7ff8ca9cad38d87238b04840

                                                  SHA512

                                                  86fa1206f7d491795ecd5f470a3142d79773ef8c07f0513d547e2829d0f5a8c9bc731dfea4b67ca22f01802c9abba895705f598ba95ed0806d67e453649f6b52

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • \providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • memory/544-61-0x0000000000F20000-0x0000000001030000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/692-254-0x0000000000350000-0x0000000000362000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/692-253-0x00000000000F0000-0x0000000000200000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1064-55-0x00000000022C0000-0x00000000022C8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1064-54-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1368-554-0x0000000000440000-0x0000000000452000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1980-734-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2016-314-0x0000000000380000-0x0000000000490000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2028-494-0x0000000001050000-0x0000000001160000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2224-434-0x0000000000390000-0x00000000004A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2500-614-0x0000000001300000-0x0000000001410000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2700-674-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2832-374-0x0000000000040000-0x0000000000150000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2920-17-0x0000000000370000-0x000000000037C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2920-13-0x0000000001060000-0x0000000001170000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2920-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2920-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2920-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                                  Filesize

                                                  48KB