Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:49

General

  • Target

    JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe

  • Size

    1.3MB

  • MD5

    31cd6d1e3ad6e1f663f58cde4001cb19

  • SHA1

    e685f9a44bb921e0f4c34338b1a22dd3fd2230b2

  • SHA256

    38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04

  • SHA512

    70cf2ca610f251d94a98f06d358d2a1af31ba01836e7f2761bb1ff2c3b605035966d9c0d312f0575e67e6625f7e36bce3a8b3f1d54c17fcb6d1a16706d29aeca

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2076
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdvQL68WQX.bat"
            5⤵
              PID:2308
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1160
                • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1824
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
                    7⤵
                      PID:2104
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:2728
                        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                          "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2128
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
                            9⤵
                              PID:2416
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2940
                                • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:264
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
                                    11⤵
                                      PID:2112
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:1760
                                        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                          "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1152
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
                                            13⤵
                                              PID:1548
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:940
                                                • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                                  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2580
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
                                                    15⤵
                                                      PID:2916
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:3004
                                                        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                                          "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1868
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
                                                            17⤵
                                                              PID:3036
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2244
                                                                • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                                                  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:764
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
                                                                    19⤵
                                                                      PID:1956
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:1808
                                                                        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                                                          "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1924
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
                                                                            21⤵
                                                                              PID:2548
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2400
                                                                                • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
                                                                                  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1884
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2072
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2956
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1592
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1252
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2412
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3012
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2380
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3068
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2832
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2420
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2316
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1208
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1600
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2112
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:480
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2332
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1880
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2124
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2056
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1732
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1348
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1824
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:684
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:568
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2976
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2104
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1812
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2028
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2064
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1676
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1316
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1936
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3064
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3024
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1664
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1520
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2464
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2164
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2128

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              632d3a98bfc6cfaff5643a484673d92e

                                              SHA1

                                              72974a34f36ee8ff9c6d20c52036cfca37f264ec

                                              SHA256

                                              8892d8c715d499527a534040d28c68a36c8346d9c21df21f845b7bc6378f80f5

                                              SHA512

                                              8e7894fb79488cf7bf24e228bda413693c022cbf75277be56afb7ee8a77b87c296ef0f0817fd619ea9c984f5e9db797bba82563bfcef665bdc5bfcd04e7b4023

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              f19f9ef308740b9925bd40fd8e9b88ab

                                              SHA1

                                              9644fd7e1df5b13df453eaa8e0941cb0d76d569a

                                              SHA256

                                              a6807d701bc8bb4a7db9989995e055586c657e81a545666581d8ae7ab1974902

                                              SHA512

                                              2ec967bf78fc2cd6ef93c08d25999219ea970b885966e7aafc378f479c88f2fd6f2ffea87b075a65bc59c72d56d02daeb6a5e8005b64f625b074082d44cacbcf

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              31829ded67aa96f0e05b041e3f92ab6e

                                              SHA1

                                              349a2bfd9c762b1d47d6f271066a2cdeb7fa2fe8

                                              SHA256

                                              c16aa2b385c46cb1095684fd1d86985b0aa925c9b2b712ac4abc6b4a075ad103

                                              SHA512

                                              df981f2e3afad54104e6af33a6ac6706ed60e4205c87d122b31f71045350ed11f6a15902339055ae770ef8117ee0db9c186ce0f2eea38aef356dab961238e8ac

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              966c2dbec10315632bcec791298144b0

                                              SHA1

                                              0af216b37866b032c5df25a919fcfbc534bbd888

                                              SHA256

                                              697639d8389766745162b0334f6dbad422ac5118fdbd986c15c307db51cb309b

                                              SHA512

                                              6ee78e8cdd1d752709e13249ee440e07a262b96fe093e0dc8258feb3f327fb188a7208d7d683d7bda2979852429d2ed6032088a198e3c1047eb1b97d390a65b9

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c0934006a797e92bf6b4e26fbd25e8d3

                                              SHA1

                                              2fee85dfeec07c9ab5df04b90a381fb7c88c1321

                                              SHA256

                                              a61dadb0f2a3a7ee4a7985028361bda32f729b50a5dc3ec0db410506c1812616

                                              SHA512

                                              bb0e3936f735f4edcd6229c6a49fa92cef8e32bc7b3b04988a986d5e59876ad96a3bdf733a301bc633b16ca671d0ecfa6b65688570b673b90a7c7787d1a239b1

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              6d210a677ae83a54bed4c1addcc1f508

                                              SHA1

                                              bd52e5ffb46df5b1cc75f944473579c439a6ae8b

                                              SHA256

                                              83f6127891411af38b8f25cd6789e6720236c2eb7f90af4dfd99db0b869e7e16

                                              SHA512

                                              2ab073379dddfe2438116ed33ac111f5008c197fdac09c39d52cabb865158a83f8d0fcd14cb5f8f833b1fa98b0734c1ba89fd4ea268d305dbf9150b5d9e6c981

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              e774e32abba504f418f9c392b93d9cf0

                                              SHA1

                                              1ffebd65c622b579ea958255ad25dcc5cdbe005b

                                              SHA256

                                              ff5512a3386e6f77c94ce931a33b36fbe4fc450f2e0d13f905c00df914686584

                                              SHA512

                                              145e938eb08b2d729858f3da5a1092805aaeef10321786697dbc13f3d74040da53be2a0da3f5a2090f5656789b659093facbc3a50a68aacd25f7d828e77dc913

                                            • C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

                                              Filesize

                                              246B

                                              MD5

                                              d9aed5e720fc264c40bf0a5cd1b1a119

                                              SHA1

                                              49ed171691c8cc7e404d3f0390292c262e96fbc5

                                              SHA256

                                              221ac36ef9cedb17dd47a96670f2460b1381a382a531087da9a0a5799f786ef2

                                              SHA512

                                              6672334b3a6f55568d0d0049955cb1ec8bf1745abc588e661fc766f98b4ce1536b97ea2cf7d606a7e1a641f513d1b8deff819ea6caf2c7732a713db0b9eb1f66

                                            • C:\Users\Admin\AppData\Local\Temp\CabBAAA.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

                                              Filesize

                                              246B

                                              MD5

                                              66a764f61eb8fc2db47985a3a9dde0aa

                                              SHA1

                                              ee4f5bc2f488649e8b351e3bfeb28b3a1c9962c4

                                              SHA256

                                              2dce675c63aadd131dd09a8ce5f87ab4a4e9b06de013bad490727fe27d14e5a9

                                              SHA512

                                              9e9e78d1d2553af64a7ac681b64f838d35df3377237deb324d3fb491c06fc2576dc63c69f911a07517bf4ad5215a0443e0eff8fe25b9f3fd3c5b6fb87409e6ea

                                            • C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

                                              Filesize

                                              246B

                                              MD5

                                              b961b76d1d54d41df78b65365a2014a4

                                              SHA1

                                              b0623f00ed3bdff08f189159d05dac8096add1ec

                                              SHA256

                                              7611347e6c55a917331892272be0fb31393cfc5aca008e4d2c176c9372fa72d4

                                              SHA512

                                              41e222dc01678fb1f4954e807ad26ff470d8c03d801e7161e4262ba376555108479230b2ecb79965a8ce5352ff15c7814ab04124baf6255ea88ec8c617870776

                                            • C:\Users\Admin\AppData\Local\Temp\TarBACC.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\TdvQL68WQX.bat

                                              Filesize

                                              246B

                                              MD5

                                              12fd04a2b286a331afd74ae2351ad5fb

                                              SHA1

                                              fa70385cb5cea73445f42e5f983b0b86a27d8199

                                              SHA256

                                              9559241758f39b8316be96829809368ed5596abcff21122183257e0fc3ac70d7

                                              SHA512

                                              50f658fb253f4ac9bcb7bcda441316adee54bbf56ae0dee2747c4df5bc4ae93f951938dd91a78b05aeb6cee0b85155445cb6d27e64205d9e9b6825a1c2b0d65d

                                            • C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

                                              Filesize

                                              246B

                                              MD5

                                              586b87feb3e214a187c07c829009e5ab

                                              SHA1

                                              bb93f38202f1d2edcd4a10cb423aa486de27b89a

                                              SHA256

                                              7a62e9335c236d634e2570a87bea42d8ea332b6a8c81fd94b280c49ae80fd80f

                                              SHA512

                                              15effaec8ebe237b2d4564dc73c27d6401e644e676c740566cd588bcd0ddf50f43c13a60b08e24a0cde8c3c7a2b7a19254b5effa53c13723af3f516b7da8f66c

                                            • C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

                                              Filesize

                                              246B

                                              MD5

                                              a8c1d50cd2dde414c132911b58d12e91

                                              SHA1

                                              0c397388383055c87114950bc8ab17c61fdec591

                                              SHA256

                                              7b0d1a470f1e1c3452fed0aead52b45a6fdc9bb18c605b295c43316f2562fbde

                                              SHA512

                                              9e9d1f2cac78e5cce620edf2c8832d309b917266f4f21df81b64ba85247fb5d9a9f082532636f948f2cefc79114ee385beac15a5833bafb035d8e6c1fab03a45

                                            • C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

                                              Filesize

                                              246B

                                              MD5

                                              2a6566155144eee9108a7e515030e28a

                                              SHA1

                                              9ff641fe474e8a0544b285b6002bbe02abb65d29

                                              SHA256

                                              1c93097e752c9e410921fcc660f55fafa807e13968e7624c5560c18fe12f8ae1

                                              SHA512

                                              4c29de08a2e86d05366b9301e45ddcdd99cf4d5f6722aa7ea281bc8a570af2c5b2cb717bf6ede091daf69e4c680e465b30651d3611e297b35370b00f12803200

                                            • C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

                                              Filesize

                                              246B

                                              MD5

                                              cd7b5ffa115c6b813dc834fc71ed7c4b

                                              SHA1

                                              b045267d7c60ee56826b763d794c759e344ac7c6

                                              SHA256

                                              ccfab1a288a34085aad6a02e280a9d10c6f155f9a13a998eeb7699603cc3c945

                                              SHA512

                                              5f9b87f2b05ffff4c702cb780514b15a7a75469bcd07c4ed71b0e889a934210e156465579496bbdc473f0645d67ebe2c1d4a974a8854e2e232bb26e661f72138

                                            • C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

                                              Filesize

                                              246B

                                              MD5

                                              ee16c0d79b3ed8ae2f5a15a928eba92a

                                              SHA1

                                              7a036489989c77013535e66bf57e25a1efef047f

                                              SHA256

                                              eebacbe44c9b3211d29b8106a3f2bf855021185bcdffd8ca82b36696602b7c80

                                              SHA512

                                              8e3d05e27bdd87bc825a41a0656dc56ee46c5de7ed220bb6fe102a595aeb71c0bb79e386a1ee9f3d6ed2f38525f23d3e25b9372ddd4b9acc7dfd3d155b8d0a50

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              49d52b4d692fd368dcb93fbfd967ed3c

                                              SHA1

                                              b0e155faf25feb334ddad4225220ea5477560d4c

                                              SHA256

                                              338289d1c9b6756726b3d02b708eff36f16b3971ca2241b6debc4c92139ff18c

                                              SHA512

                                              b457d7b1ca07c7a3f3e3b0f42b0cf46c65bb600bada008c55ec489d7a6a19c35795de7afd15fda7c66f25cf3d1b1d064e1215f7599c2b38ba6482cce096f9b10

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/264-270-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/764-510-0x00000000011E0000-0x00000000012F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1152-330-0x0000000000C10000-0x0000000000D20000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1152-331-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1824-151-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1824-150-0x0000000000870000-0x0000000000980000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1884-629-0x0000000000100000-0x0000000000210000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2128-210-0x0000000000960000-0x0000000000A70000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2580-391-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2700-61-0x000000001B660000-0x000000001B942000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2700-62-0x0000000000340000-0x0000000000348000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2988-15-0x0000000000250000-0x000000000025C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2988-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2988-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2988-13-0x00000000002C0000-0x00000000003D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2988-17-0x0000000000270000-0x000000000027C000-memory.dmp

                                              Filesize

                                              48KB