Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:32

General

  • Target

    JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe

  • Size

    1.3MB

  • MD5

    5b52884d4c704aa839b386beefdf6d30

  • SHA1

    5eab9bc8fb34c5e024d4cb6e1234ba0f4a6c3e6d

  • SHA256

    6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837

  • SHA512

    ff3354401c7a2f3fac284dcf72bad3b67c4de49fca3849003895798a347ca484b6503132f7b1807a106af6ec4e635dfc07caf6d9f5d2083de5e6e79005d0ba8c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpozkiw3ki.bat"
            5⤵
              PID:2556
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1868
                • C:\Users\Default User\wininit.exe
                  "C:\Users\Default User\wininit.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:328
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
                    7⤵
                      PID:1504
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:1264
                        • C:\Users\Default User\wininit.exe
                          "C:\Users\Default User\wininit.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2336
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
                            9⤵
                              PID:3036
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:1368
                                • C:\Users\Default User\wininit.exe
                                  "C:\Users\Default User\wininit.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:336
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
                                    11⤵
                                      PID:1604
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2000
                                        • C:\Users\Default User\wininit.exe
                                          "C:\Users\Default User\wininit.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2588
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"
                                            13⤵
                                              PID:2328
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:928
                                                • C:\Users\Default User\wininit.exe
                                                  "C:\Users\Default User\wininit.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:944
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
                                                    15⤵
                                                      PID:2712
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:960
                                                        • C:\Users\Default User\wininit.exe
                                                          "C:\Users\Default User\wininit.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2692
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
                                                            17⤵
                                                              PID:2352
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2368
                                                                • C:\Users\Default User\wininit.exe
                                                                  "C:\Users\Default User\wininit.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2524
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
                                                                    19⤵
                                                                      PID:1488
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:2332
                                                                        • C:\Users\Default User\wininit.exe
                                                                          "C:\Users\Default User\wininit.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1800
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
                                                                            21⤵
                                                                              PID:2952
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2552
                                                                                • C:\Users\Default User\wininit.exe
                                                                                  "C:\Users\Default User\wininit.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1044
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
                                                                                    23⤵
                                                                                      PID:2852
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:2892
                                                                                        • C:\Users\Default User\wininit.exe
                                                                                          "C:\Users\Default User\wininit.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2580
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
                                                                                            25⤵
                                                                                              PID:2044
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                26⤵
                                                                                                  PID:2544
                                                                                                • C:\Users\Default User\wininit.exe
                                                                                                  "C:\Users\Default User\wininit.exe"
                                                                                                  26⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1480
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2540
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2492
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2524
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2536
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2152
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1244
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:472
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1496
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2816
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2840
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2980
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1104
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2532
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2340
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1976
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1964
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1304
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1264
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2352
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2740
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1792
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1924
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1660
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2092
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2928
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2348
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1420
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:664
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1224
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:788
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1620
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1912
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2752
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2336
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1552
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:464
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2424
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1148
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1028
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2288
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1752
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2296
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2428
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2332
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:888
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2432

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      b2fa4a9c8c76cf516ba540144619250a

                                                      SHA1

                                                      780ea8159552ec8c67bbef50255084fccc76700d

                                                      SHA256

                                                      52a5b3be792c88a9ff579bd93a107e461cf9ac2021556bc4983f16c033e9fb87

                                                      SHA512

                                                      b7c3040146ea8645f573b94e7a533e5c574627b913f9fe27c07773e81c54f05d8f773e654c78eb5763e0b1f542bf414eec60ebd9ec8896e8e9384bc80434d869

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      3b58b41981f4f6c856530b08ef9ea801

                                                      SHA1

                                                      6e5a641333ae9bd8a0cd36dd1ed9102c55c0246a

                                                      SHA256

                                                      9e16e2607bd3e87aa261f7d7da67a935e9e98b16224128271843bb0da87ee824

                                                      SHA512

                                                      f15131f9b498f67affcc204e5515728e579ced9390ccde10ded1de33dc9d1fdbadfbbf3a404566d48fb093637b75bd18d3537606f4bfdd9bf18ce715a383f77a

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      d20871ddebdb0e46a8af3e5853e1b3fe

                                                      SHA1

                                                      ed0147d878fb0ac96845fecc9bed43ddd52f4163

                                                      SHA256

                                                      2481c1534f68cf0f066acfb08ca5c15456f79ceb1243e89635d5caac43e5424d

                                                      SHA512

                                                      f284d6f1b0f9941f3858bccbe6cefed3948e5405386c879184de094ec03d7fb75cf490c1d6b90b12ed01fda53d4e47ba65f212a305ccb971de073f5517f37df8

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      ad1cfe606b373babb3e7b11c2c5dff8f

                                                      SHA1

                                                      d6d73a0d3e2dba914f563645e4ff63e5d94240c3

                                                      SHA256

                                                      5affa420cecf5d07ec01b19e5846c4dc7b0e50085f8e26120296626a69788235

                                                      SHA512

                                                      00fc6c143338e15a73ac25a048177879d8c304150a5735162f9339e7d8f041048a9f79c90d7de6bb20a633d954a60b5e37ca53dc3eff86d2937ebe19fddcfcb0

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      2269acb9b0c4e156ab6c208fe8b81f0c

                                                      SHA1

                                                      6469de101c73761884ceb0e5f8904dbe14763e07

                                                      SHA256

                                                      7ee7d912aeb8032b67911c3296a856b277963833bf8561f30a37eb35d37fb015

                                                      SHA512

                                                      52d4222da9e9db4012863f8b90e2025f6c917a81bf84953eeaf180f549c00ed46911ad16bf6457de2cda386c108f5267c0107326a71ec648b7ef54445294a8a6

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      d9a05a9c3de447e98fd39a5521e31615

                                                      SHA1

                                                      3c45f6101bed0fae105997459d9050577b8cc95d

                                                      SHA256

                                                      0f3b22b572dd17f86666084ad5a696ebc267c035e64c86cf6e5abb0dceb0da09

                                                      SHA512

                                                      9cb3113fe1e6ba303f0b9042dba08d3941069412f42285e14c0f49eb15f31fdae40e5cccab49be5c4ead15ccfff8fdef017ee578e81ca2b07ff772b923544d30

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      c980a789a96aea3710494172cbf35c9f

                                                      SHA1

                                                      91a9e32514afde6a7a38c4e822672ff3a510b047

                                                      SHA256

                                                      9b00c7aece109738c921f226acea45c5ffb3677dab522e9d69f14b3af27a27bc

                                                      SHA512

                                                      d2d62dde80c5ea1e6f3bd7492b22e09c02d68b987dc75f0bef2cf386028637e0d5d0139ec313f665b273f43de3e8b81802a66a8b3c8393f2d6e42e98c03f7c8f

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      b6761196075a15878f8943f84a7afc9c

                                                      SHA1

                                                      48c132c267c25eb4ab47c3ddc38833c5f208ad15

                                                      SHA256

                                                      cc3279c23c436d1145a5b05e34e332f60599b680153616626a11c64ed7990974

                                                      SHA512

                                                      6eae9e99d3017e9c30a690fec1c49ecff6c314eea41439d7b25f5b6c37471467491cdc1cf923d447e0814d1dfee29f4f09e41e62d579070c6b1ff00191091a30

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      9fe1ec2f215ddecd7467ac00dcbd27c3

                                                      SHA1

                                                      be1e9af48efd7179bcf4ec779d158daec192eceb

                                                      SHA256

                                                      b4287a74484a63bc2d20726ebc84d473a4697a5596eb76f7c9bb18e031dfc1fb

                                                      SHA512

                                                      9a751eb10a5cd1676858f80d221954be7b75a28a6d4fa5e724e83148212866fda56a09de66edd7a306957bc01b17a34e29510f15f70606d17b1c4f359a60f621

                                                    • C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      9b630e441ac9dd33df986e576fc0d913

                                                      SHA1

                                                      157658533a693df52b944720df0b60cdf60f612e

                                                      SHA256

                                                      6ebe9c0b5f8f7ab34ee81b29d60a68474a5e2679d68611664302a9afdf9bd689

                                                      SHA512

                                                      009d5f6608a7025be3c772b033b5168b2c73d4fad99995cf4f7138630a3435da9d883f8b709211c7fc0cb2fbc0f74b39d819113d0778a9a61c87b42ba710154c

                                                    • C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      c2d7f289fb722fad9328241966fef5f2

                                                      SHA1

                                                      990c8803eb78525425ee91e7a34fbe55ab79e12b

                                                      SHA256

                                                      76f9c4382de0b5bd97b1a9c3387ddd8844ef74c5b5cbd7c4179e7689c49cba7a

                                                      SHA512

                                                      3373d1f22267f15e5a1074696b04eea78dbd38db202b6a9ed4403cc51f1df499e1ed1a77248ac06669aad08856e7929b48b346bf6121f49ad4538198efeea340

                                                    • C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      e960eec91dbd2a7037395207191ae583

                                                      SHA1

                                                      82b75e66899626dd1748060f8e74f29d115421a2

                                                      SHA256

                                                      2dcb76988302ba74cb0c9dc6e0d0c42d21cfdd8ad177d9d390bb94dac63652ff

                                                      SHA512

                                                      faed1c07030f7b0f8a225e76499f307919e60824dc20e290d3d61434a9fb64d7f742ee2a8b889084653cef092b2d35ce2b199234236799b329c16d5c707eafab

                                                    • C:\Users\Admin\AppData\Local\Temp\CabB04E.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      8814c95d4bdfd016cf3031bcfd981f18

                                                      SHA1

                                                      7caae11067410bf35f1522b9b956979337df0a01

                                                      SHA256

                                                      f140b24ed5b19caf86007b2770d7a06b0d6da4e745d44118111e22ec04fd70db

                                                      SHA512

                                                      9f704105ab0922d2c47bbbaa159276f2b2020980869fb4168470fd7a3fdda3900fa2f1f4fc9d32aee5e3a21d5ab496947068cb4bd59ac237cc00c5544230500a

                                                    • C:\Users\Admin\AppData\Local\Temp\TarB060.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      a5c908bc8fe709a3a836b4d7280bc64d

                                                      SHA1

                                                      bcbd04826ba1c3995ad00b628a46021f26190889

                                                      SHA256

                                                      cb125d853394fcfaebf6bd1805a9f0e3efc5b352e0a30fae545e829821f612e1

                                                      SHA512

                                                      7333c082b370dbf1b3f361be148c7791a2a9d7357ed85625b24ef0ec8595c764e2443ef198eca456247a06b037dcf1fa4269dacd97fa561cd370561edd611181

                                                    • C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      1bf12767dd085341da4e19c4def121aa

                                                      SHA1

                                                      c7036306aa5584b1449999b2fffa76fb7d9c8af3

                                                      SHA256

                                                      7e389b87e36fa408d998f71dd5b1917d4719938e77ab1821bf69f021a6f1e4fa

                                                      SHA512

                                                      a3b1e2b864641cae1462b5c8602664367bcc32889286014d5d8eb9cde029d2e6d2e6427fe7b6318bfaf0a11106ed6d5e15fed9190797b58a868165c8be3eae97

                                                    • C:\Users\Admin\AppData\Local\Temp\jpozkiw3ki.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      00e1b5bc5b4ba4081276d560f3fb464d

                                                      SHA1

                                                      8c449c27ada9e6d29ca2b5ca4df7fb9dda26e22c

                                                      SHA256

                                                      80e1e154f5ed5492583d082aab327b895b376c4286ed1bd8c0e028798976eb01

                                                      SHA512

                                                      a834aef8f405d3d969ed595e0b9d2a4433e7d4e6e60ea46f1d36c0113761ad04a97e3699f4c6c790cba2a40c1381e8705ee9381ebc2be5e3d6d1e9252f73611e

                                                    • C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      ea15bafbf1a47188f860a7fee88c7b39

                                                      SHA1

                                                      185c263d4c94e9003c330dfee1066ac0ed0d8ed0

                                                      SHA256

                                                      c6a739a317b260e23d5986482977cadd1fdb4a290eb586b4577af4dbaf27abb5

                                                      SHA512

                                                      6edf23348ad333478099b63d31bb4cbd3148d21af030e994111d6b9b9a5ee63df1e75c12de9207f1c51b6a6bf5facd9a20db8b57ccc4e69910cfd6bd66f533f9

                                                    • C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      924b5f98b97936badb3209e112465ed4

                                                      SHA1

                                                      96d81f3d2598d7a50242270ea6deb76f0c272605

                                                      SHA256

                                                      75a6a135e42ed0e4d318db5ffb5be1acd70eccf8d542cd92c7e28a060d0f2e45

                                                      SHA512

                                                      fbdebd247d32e395cd20ab9cb62ba811e209635163d3ab14f1667cbaec17e56fb4cc66857e124e79210add0a59eb45fd8b12640fbfeb7526a594111fb3a72173

                                                    • C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      b8633100190a6c728c5d95834682c31f

                                                      SHA1

                                                      7af11aee90a5949e96dc9378f194d26800eff177

                                                      SHA256

                                                      f43431604e5e33724bf07ad53aebc6ace01ba19f100d98bcfc19871cd1f6d63d

                                                      SHA512

                                                      3a9c816d0eb0cf48c28211475078e3500b7a1fb53b0d8ad6d6e85c7ef73f4ad0e68322448d95c2f14d9e47a3f85a04a30944815b24e789ba268a094ea0ceb6bc

                                                    • C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      3d2fe4ada936042de08eeb254594a847

                                                      SHA1

                                                      2ff116e453c30c821c0a02c92437043a7032b306

                                                      SHA256

                                                      56115bb3c5af086eede889c63934761b3e0cadbb35f63e36ee92e649f738e014

                                                      SHA512

                                                      db203f0649601c4686e85aef4afb75393564f087e7173d5d4adc131e85d378b7ffeafe372d37e19d1ccd3b7cee59fbbdf44324999b79275f17f6399cdef754c1

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      226c29e7df2f4a8abef8e67ddf491908

                                                      SHA1

                                                      de72224e43c447ff52e7fccaac52ad27c353a8e8

                                                      SHA256

                                                      e6896a1498da765782415c8acc4575d64a03bdd18ff89ef60e5c8934025b2e15

                                                      SHA512

                                                      9e5b7507b52f9344748b8e320cb5be83d181b038e5a8edfc94edb65a228958dae4656ff7968bd31d51e4280eac4e8a63152edff5c506c39b56f2aa6630e27e50

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • \providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • memory/328-142-0x0000000000830000-0x0000000000940000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/336-261-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/944-381-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1044-620-0x0000000001110000-0x0000000001220000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1480-740-0x0000000001120000-0x0000000001230000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1688-89-0x0000000001F00000-0x0000000001F08000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/1800-560-0x0000000000C80000-0x0000000000D90000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2336-201-0x0000000000370000-0x0000000000480000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2524-500-0x00000000000C0000-0x00000000001D0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2580-680-0x00000000003A0000-0x00000000004B0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2588-321-0x0000000000E80000-0x0000000000F90000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2644-17-0x0000000000570000-0x000000000057C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2644-16-0x0000000000550000-0x000000000055C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2644-15-0x0000000000560000-0x000000000056C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2644-14-0x0000000000540000-0x0000000000552000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2644-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2704-88-0x000000001B670000-0x000000001B952000-memory.dmp

                                                      Filesize

                                                      2.9MB