Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:50

General

  • Target

    JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe

  • Size

    1.3MB

  • MD5

    5062614a06b3e5793522dbc1119a643b

  • SHA1

    6b97b6d548e8cdb9ed861b707ad336562974928a

  • SHA256

    5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11

  • SHA512

    8ba800b02de0295f1ff11e8e0fb660bd322515773a3064df497e383b6ef2974d96a9f5d3e89a5cd76e8035adb2aa7eec06f3e571959a9e95a1ca54d3582f70cf

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Users\Public\cmd.exe
            "C:\Users\Public\cmd.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2672
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
              6⤵
                PID:2728
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2688
                  • C:\Users\Public\cmd.exe
                    "C:\Users\Public\cmd.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1164
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
                      8⤵
                        PID:2152
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1036
                          • C:\Users\Public\cmd.exe
                            "C:\Users\Public\cmd.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2136
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
                              10⤵
                                PID:1896
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2804
                                  • C:\Users\Public\cmd.exe
                                    "C:\Users\Public\cmd.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:696
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
                                      12⤵
                                        PID:348
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2276
                                          • C:\Users\Public\cmd.exe
                                            "C:\Users\Public\cmd.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1452
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
                                              14⤵
                                                PID:2968
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1524
                                                  • C:\Users\Public\cmd.exe
                                                    "C:\Users\Public\cmd.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2032
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
                                                      16⤵
                                                        PID:3056
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1748
                                                          • C:\Users\Public\cmd.exe
                                                            "C:\Users\Public\cmd.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2796
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
                                                              18⤵
                                                                PID:616
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2232
                                                                  • C:\Users\Public\cmd.exe
                                                                    "C:\Users\Public\cmd.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1408
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
                                                                      20⤵
                                                                        PID:2012
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:2312
                                                                          • C:\Users\Public\cmd.exe
                                                                            "C:\Users\Public\cmd.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1872
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
                                                                              22⤵
                                                                                PID:2340
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:3044
                                                                                  • C:\Users\Public\cmd.exe
                                                                                    "C:\Users\Public\cmd.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2928
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
                                                                                      24⤵
                                                                                        PID:2720
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:536
                                                                                          • C:\Users\Public\cmd.exe
                                                                                            "C:\Users\Public\cmd.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1684
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2988
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1892
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2236
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2312
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2292
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1176
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2188
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2480
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2140
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1384
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:988
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:344
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:592
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2228
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2592
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2020
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2436
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2472
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1992
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1712

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  3d9e89cc4c166449b50794993a331de2

                                                  SHA1

                                                  055711e76621504545ec6393e2442859625c6eef

                                                  SHA256

                                                  919153e850156271ffae28e1d19b5bb09903215560f9923a9c470a510c7797d8

                                                  SHA512

                                                  21f32f496e5c592d18454a1612c7dbfe8097cafbccbdba4a940fae0425621bd5d9a6627c5eac2d49b33779c092676ee59bb18ffd4e77c8f21d7800e6ea8707d5

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  8855bdab34c3ff0beb01f575dc2d5831

                                                  SHA1

                                                  eadeaf8fcfc91beca9cd62d34ccf85b3f996f12f

                                                  SHA256

                                                  004c8b7d0a6130bae50edc7a0f520ef5585ff633cab3b9b1c3418c9a12268610

                                                  SHA512

                                                  0e4d19a2143cc2a8ddb29639bcccaeffa101bb608140a56cd32ffd5cc86a7ecb066567e13bd8e304de58ff4ea2009d6504b06c0f073be37af320d6e20ac54407

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  bca43b667dd0a0b41717edb126ce4dd3

                                                  SHA1

                                                  0268dfcd037ca8e4f590a267048e2d5685e57de3

                                                  SHA256

                                                  a3a29875748d253bfa60f42624beced388fa345f6f34f9f86a69ec51a39e50c5

                                                  SHA512

                                                  25f47cfe937055cd6ee684cb27adb6b0281c710b4daf1a1be2ef966c4b8277dd7c869e5a08ba60ad3297b8cb5eb19719afe8df44c0bb8ac0930f3970868081d5

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  efd2a719bfe43d2eb88ce22d2ef4627b

                                                  SHA1

                                                  d0d874980cbe7cbd8c5116306056dbef99c441f5

                                                  SHA256

                                                  a575f92b3f47a1236ac409d776c18e0b420d3ed575b5736a7cc709c502eeadf5

                                                  SHA512

                                                  ed5a08a4586b0295cc627369fb98c486d8cc880a7c703b9e4c67f993b05013324d1311619d3bad8555f8d8729855b610d92e5e3677779f9ff554fed74645e5f8

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  10bf5a844f970cb1893957f8f7238d2a

                                                  SHA1

                                                  6c06bde45bef1beb84a15b86b5314149c03875fb

                                                  SHA256

                                                  c2558de9ac3d6e2f9f942f25d70fc91df52a14c3888642705f4354e2ad7117de

                                                  SHA512

                                                  4fe816a8d133bd3add63f8512d6a79f7f7dec0e0b2e2ed62ad3099ba30ccfcede724495818e508e2ca7b94ac79a483d5595b2b869c39b568ce8fd0d5734b61ae

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  df5e2878a605e90f52ba3bfa54b23c3a

                                                  SHA1

                                                  519cc7d4efcaa8836084679ff6546c4335236f74

                                                  SHA256

                                                  609ef1d2428617b26aec9311b0b207d9a183b45b0611c7dc49c2661faf1cb6e1

                                                  SHA512

                                                  417d35f7a7b648352b5e252f4fb613bbb06a1fb87e0341e08a39252579a25cedc6dd5227a1ce7367456d701b67f89b0fac269c18364b37b641afc0256d1ebbb7

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  3b1f8ce64acc55d80c769f0c4d51ebd8

                                                  SHA1

                                                  30a0f69cd90d4ec48591ec1bfa36f690640b9fa2

                                                  SHA256

                                                  d5b49ae7855b1c127d5ea7c93d58ebed2561d2f35eb71b96d6e486095ebdfdc6

                                                  SHA512

                                                  ac69cafd953936f8a9e3dc10762a72887b5cfad86ddd988be9346342f2e499e0bef90bf2fe949f819bd5f0133be9f94215b92d2d6d0c4c030ff597bc177fd1a3

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  3d1249599ef27cfbdc9577f9b229e511

                                                  SHA1

                                                  d77624f6401383bc755516009cd4cba30b3f60dc

                                                  SHA256

                                                  6daedf425526e319d7c094705487813cc858c4088c3ec38ebb9b07695d9bbc8f

                                                  SHA512

                                                  f7c73033e4588953501d9aefd39349a920dd8c28342a42f8a67430aaa1a258888d6f83c202e5aa98a33cc41408f3bf7c71472f229bcf16597a7fa3af8a48c172

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  525aae4dd0fe5c78c967afbd15980d66

                                                  SHA1

                                                  6971312b46eb549aa0dec3d71c88c5da5da4f01c

                                                  SHA256

                                                  a0e219835e349d93dd00647d4ecec7b9aa5008e3f9a6387f7803999f731ddf95

                                                  SHA512

                                                  c0e743ba74f298175fdec5cde1f60f5a8bfee002c5141208b5e6e72a05a9f5e246040b2261caada4cd8c0ba8782a381f196dfb829ebda578df0dc6ca7c69e22d

                                                • C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  429c8b930545514f14b091f550b5bfd3

                                                  SHA1

                                                  af3d2cc95c353cfcc2364c7f2098fcbc0fefd012

                                                  SHA256

                                                  01c48ffc11e6054c3147ad7154b1ec8881e7b087748fe8eb9f3cf95d580e3556

                                                  SHA512

                                                  959d8c3bbf6a5695fb22813a9288955293ea0432ff41db7337667cf45381f760649097aa67479c656a6abb258d62c6123c78b045a1ce3fdddc5c1039bd88ef43

                                                • C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  f71be3873c01c0d3cfc0a677c9298a47

                                                  SHA1

                                                  6a629fae6fa5b36b35e0691ccbfd75542a073742

                                                  SHA256

                                                  a8bd017bde3c12e09bf210b7b2757e3ecfed44372ab1d2437734a333e0a765c7

                                                  SHA512

                                                  bfbbfd415f68a4b17957c3b8ec70a762e97ca58091fb5dbb1fa03a79dc13f58b2c997bd0af2d5494ce961348f67102fd6188149dde08659ba188cc98b907bf8c

                                                • C:\Users\Admin\AppData\Local\Temp\CabAD61.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  eaae9407e0536922dddb39d4009a6436

                                                  SHA1

                                                  7585304ce0530bd0dab6b3dae2b56f33aaf5b6a2

                                                  SHA256

                                                  8083180f922e5573a7840dae02fc1b01282843867f602fb2f32c2395549d5a10

                                                  SHA512

                                                  33964e2c49371e4728cecb75f6bb03ab39c46f4db949affb4e0878959c3a7d454968ab28f211b3e4f08e43ca57cf8fe4c176525fbe09a636aa635fdb8ebb5b4c

                                                • C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  971bf380edad5494123e3270d227a736

                                                  SHA1

                                                  40219bbd7753228d0296c9e320ee11c657d140d3

                                                  SHA256

                                                  c8eaaa1f74cf76679c7224a356c74e3626726d326d92befa6c9cf1469db7e7f9

                                                  SHA512

                                                  6f29ef025d5f53078549ca28174524fc0a2356e0bbc7ab7c9a56b48065d19274b07d85ec261f0e5ce142f2ca5142d21ee94a824af90f6f18981027b039082a01

                                                • C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  74a0aab2fe44d1bb9a14c3604e3e055b

                                                  SHA1

                                                  f751c824e5bc883745575e86aaddf5a780e3ab70

                                                  SHA256

                                                  379c647cae67fd3d97833689f24c1959f64dcd4275634121554dd2795688dc75

                                                  SHA512

                                                  47e355b0d55246fc7b960ba4e2fd870efbfb3dabc9d20f1eff9211382f1087be45fc0392b816bb06c31b6263286fbae7611cdb99754ee32a138a929e8ced6b3f

                                                • C:\Users\Admin\AppData\Local\Temp\TarAD83.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  e61ae54a4a27f6346381d5e2e02b279d

                                                  SHA1

                                                  3d6efe71fa7f3e3b1e1b1ff30920b70ce78a889c

                                                  SHA256

                                                  03f7fabe710173cd15fc1a709ceb5cdf44d5cb87c8f9917175b581a2d4e02b4e

                                                  SHA512

                                                  fb676826f44d20f7192d396768a1689cdbc88c67df1b45c8ee2d19730c83615dc4498a1fe25f652311b36b93049bf1357329631f55fd3fc17f9d69490fc632e3

                                                • C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  31b0ee83f04ed132f4ab906869afb989

                                                  SHA1

                                                  76b527df15986d6007b43d446674e476a281e667

                                                  SHA256

                                                  5fe4b578af003399cd6ade33022c898ea3577a6bd6fbcbedf38a5345d5d5800b

                                                  SHA512

                                                  fa036e92b818570ceca3238628b7c65e917be41a081721a208d0558ff8ff8775a285fa9435efe3fbfa5c61a6179bfe690777a4edc159f70a8826ba035cad0331

                                                • C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  c5f923a4b37de138f98072acfc5b2934

                                                  SHA1

                                                  6a055347e2d4a25ab080ed9354e4ff1b31a4865d

                                                  SHA256

                                                  64dc1b1002e3d5a737b33e6ff13a02df75bfbf5e643091b21e232000ca6914d2

                                                  SHA512

                                                  e8c0670acbc6fec49edc2d0fdc01c0cd0d6f48ef7f3807289b472acd6b94c075f6bde21979db0b9dc6822296438383e304936325f5d495026a17bcd796ad17cf

                                                • C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  3942212c5c50a72364cafbd5052eb9fa

                                                  SHA1

                                                  86bb427acd6d541ba707e168f86a5711854cd942

                                                  SHA256

                                                  5192f8691137af9f571eba6795a57c695fadba0ebaf2b0be0d1c3ba771a85149

                                                  SHA512

                                                  6aa5260019fc7e0ed3d9d30448671275ccefa41d328d00f96414c36d909d6c1ee924d1bcdf189f3fc91fe820cf4f56984cb355d24961550ff5e41bbb3d448f68

                                                • C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

                                                  Filesize

                                                  188B

                                                  MD5

                                                  5200b24564022580a23a45e724f1a0b7

                                                  SHA1

                                                  9ea07b172d29f02c7be00877b924783caededd00

                                                  SHA256

                                                  ad32fce11865e2501a360703bfe990dea3b3718f7d3d547005b2df06a4e94950

                                                  SHA512

                                                  3679c80d97d71f249157a90d657d64b16dd508fbf9cd643ed8bcab7fac9854ed932fa0f2c043bc69f86afa6e8ff276b87b57141f75501cb7655d57073c6b40ea

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  486d4cd85822358786f60abf8181d372

                                                  SHA1

                                                  bb5f368f6f91824072ef2bcfd48fa5d47343f202

                                                  SHA256

                                                  1056ac94a03b432c22b351edfd285fc5e9228634d28a1b8bcdf0f34b328c0a3d

                                                  SHA512

                                                  6cfd365c419abacfab623b9e4b1b1e0fbbc8fb547f7c340a88bbb222a2d9765bb271ba3241f6f0005fdf53be6379d5e82c3844e4345f71c9c12af355531e919c

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/696-317-0x0000000000E40000-0x0000000000F50000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1164-197-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1408-555-0x0000000000440000-0x0000000000452000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2136-257-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2672-56-0x0000000000E50000-0x0000000000F60000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2796-495-0x00000000011F0000-0x0000000001300000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2880-15-0x0000000000550000-0x000000000055C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2880-16-0x0000000000560000-0x000000000056C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2880-14-0x0000000000540000-0x0000000000552000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2880-13-0x0000000000140000-0x0000000000250000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2880-17-0x0000000000790000-0x000000000079C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2888-734-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2928-674-0x0000000000350000-0x0000000000460000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2968-63-0x00000000022C0000-0x00000000022C8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2968-62-0x000000001B510000-0x000000001B7F2000-memory.dmp

                                                  Filesize

                                                  2.9MB