Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:45

General

  • Target

    JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe

  • Size

    1.3MB

  • MD5

    473689924a7a7a63536c9a6c4a055236

  • SHA1

    73ce4d74fffa1ab662c4678a74da2f8977a1f3d6

  • SHA256

    2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a

  • SHA512

    ac5ca4ba0d48e16ae314c9e1cb564490746058664e4cea4e286f3afb6d1c83185d5ce3447267af0a4541fedef37ce2a34108bef7128072ef207ae772b14e296a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2324
          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
            "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2256
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2080
                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:560
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
                    8⤵
                      PID:1752
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:700
                        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                          "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:668
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
                            10⤵
                              PID:2544
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:608
                                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2824
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
                                    12⤵
                                      PID:2724
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2156
                                        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                          "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:404
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
                                            14⤵
                                              PID:316
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2628
                                                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:564
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
                                                    16⤵
                                                      PID:2548
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2756
                                                        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                          "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2064
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
                                                            18⤵
                                                              PID:884
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1512
                                                                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2484
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
                                                                    20⤵
                                                                      PID:2032
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1124
                                                                        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                                          "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:440
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
                                                                            22⤵
                                                                              PID:3004
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2752
                                                                                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                                                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2540
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
                                                                                    24⤵
                                                                                      PID:636
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:904
                                                                                        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                                                          "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3000
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
                                                                                            26⤵
                                                                                              PID:2908
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:920
                                                                                                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
                                                                                                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
                                                                                                  27⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2660
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2308
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2684
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1268
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1436
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:596
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1296
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2900
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2728
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1508
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1824
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2172
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2988
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2072
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1104
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1908
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1564
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:404
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2136
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1392
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1100
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:276
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:884
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2596

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    95dd390259226a57b760e35bccf89da0

                                                    SHA1

                                                    c5e28f109989d32a09bd74f7d515fcbd25cea4a9

                                                    SHA256

                                                    f7269dc07bfe8b38140aafc99bef717ac1cb6df62c35f1da889cfe30d649d592

                                                    SHA512

                                                    c8ee67019c6e89f488eddc3f787f6ec55bbb1208660054d50fff62fb9b94a91083af2cbd7e1c1c56b0aa2fcdebc0462ce6bf437fadc51135e7650ecd86f1dc5d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    0082179196c5387fea405289c6a8c7db

                                                    SHA1

                                                    b2d6210db4ba84cad47067ebffccc1dd65377428

                                                    SHA256

                                                    6234ca0ff43cd3c66412b085babb1954e395a90441221dfa4e8eb2755a401dfe

                                                    SHA512

                                                    643583cf6ac59c0f16f054d6fedcab22962ecfe642d8d09e5da38056bfdd1b2dd991198b2bcd20c41eada78a33691873466ec4b8f7edeb9f455e6a593e429470

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    a0df300231e71a4c4d1da63dd73d1248

                                                    SHA1

                                                    a78aa13400a1c7710ab1fa505527597426239235

                                                    SHA256

                                                    b8e6f325ea38289e75c2165e00385b3148ad5643f8f22bbe2bc4f433efc33a70

                                                    SHA512

                                                    cc9072d77bbd1018fb08f9f0ef7c345ab69104dc62bf895d36f3d4a7f18fe4169135b71cac49ba0f89458f2df18c98a71e3aef1c40a66ebf7736398616ff8f68

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    966edf62e2b11f4ea3d2ed1e0c342048

                                                    SHA1

                                                    d3d4b39b9d0497b6e3f4f86136a1c576d42b08c9

                                                    SHA256

                                                    5bba8e34cd8f29fcd8fd0502b97c9342a80888bec0067c1d90ee36ebf54da111

                                                    SHA512

                                                    61fdae896c3e0ac8dba5065ce2b7be72e17c36f7c1f2719492d80cc2a1c7c3a26f6c9a9a4d93c5bfdb48623092f496d74c8e58045c56c68156fc7383156b6062

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    a3309b397b66f30bb3f2b83bd9bc6632

                                                    SHA1

                                                    d808ead65087c2121bfcbfc76b9d1b7972aa929e

                                                    SHA256

                                                    82f4f53b15e2c8776ff6bcf09d162ebfdbc7cfb1efdaec4223a1acbe3abfd1f3

                                                    SHA512

                                                    192fae8c946f182f9075e17bbd3f8f399dc5acb77ed026a57311b6281e03b27cf601b4f28a629139a9529a3ccbed931de1726dba603f36c53f1a21cf194cf61a

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    b69b44218009727a3254de3e8d32d816

                                                    SHA1

                                                    5bc29bdda2758155b5718c8f6d2aa794e36b2192

                                                    SHA256

                                                    2ab9dc6647f294ec4dc8ff84a284ccf5b91c074658a0929548e09f2331deaf1b

                                                    SHA512

                                                    0249122c54bde8d11f70ab4bfbe2fae181abf97a65afda2eef310bfb4a4efff79de90ed00d388a69d286675d1a97779d0ebddfbed7725a3bd28ec696715f52d6

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    f505bc0a6097e0de4425f9377866d1ae

                                                    SHA1

                                                    6f605eefae1f9b0d7783c245359d258fa5f5c8ea

                                                    SHA256

                                                    cad2e68fa0dd0bb2e8604ff5f508666c4068ec93806f5291024402fca8293e99

                                                    SHA512

                                                    22e765eea17822bcecd11c014f4133b5577210390d808623cb14f17b6057e123f9786d25b7b6f93eb0ba02a30449a081221a8fbe78788983f630acf92a2bd4f8

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    d577a7073352b5fdd3c94c5804006fe9

                                                    SHA1

                                                    708617e7b057b49eca73ffea4e4925ca4ef712c1

                                                    SHA256

                                                    d73df6aba80469eef34510a28dfeb67d14125ddcd2a7e8a665b48fbfbf8ca885

                                                    SHA512

                                                    2f59eb86c74e0f9753a45beb26ddcbf8b57da23828f980a95a3a9464b9b05b2d84ac42c3a441dbd4db91c44dce4cf6f1462d9df10dfb669013ff1b1ef30635d5

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    76c7c0c3c623f2c165b4742c84599268

                                                    SHA1

                                                    0da6d2ef6611029bfd4ab32daa1064a17a22f42d

                                                    SHA256

                                                    70bfb3c9a6f8fc77dba4175858a15014639e09f616c7718e85b6b2ff11c73241

                                                    SHA512

                                                    2cafcd18d51c2818f8678d35cd3f32c99c229d30cbc68701c13d3cb416d1b1237af7173f42594ee36b5665ce7d431552409351d6ad929de59518971cfb52c8fb

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    e23af1207fa36ac79ac63dcc5621468c

                                                    SHA1

                                                    857a4c337a14f8e0d091683b04e60db9f8aa5b1e

                                                    SHA256

                                                    5d35d9ac372feb68b43fdb31bcd3fe1dd21483847ee13a8c4ca14d726cf1a22b

                                                    SHA512

                                                    dfa8f2155a22295530b96b657440580f2d3aae4e62bd436d9f54ca745e7d05aa20fdc4736b066514295f963720d3439a3105abd6560a13b4ae39d8bb38c7ea2f

                                                  • C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    4b36ef4f344f409de888ba55e4e6ee2b

                                                    SHA1

                                                    36ffac3f57091e7e4ce755412cb508ca006d7fed

                                                    SHA256

                                                    3778811c6b7a24ac0c0d1d2373884711a8c03f96c5c0f989c4eec88c277f3e70

                                                    SHA512

                                                    338359a83db4494055894ebe5e8d9503b489a2fd726b3b220951c8e000b042f6b29f903744dfda74bf3db4e94e7ee1a32eb7a5c3a82bf17fe1342e8eb3acf1aa

                                                  • C:\Users\Admin\AppData\Local\Temp\CabE514.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    fecd9044925682069b3671eca4b2ffde

                                                    SHA1

                                                    2ce97649309032b2d74535118aacc87ddfe08c44

                                                    SHA256

                                                    f8094bc242a419a2d073872b296bbe69bea1130daca23cf77e20194ca44f0cf7

                                                    SHA512

                                                    b2af0a1195da197a7637c9f1b1c3b865f57365d8a7bd354906ba910093df4a347ad894987e6a4799a0d79285ae76490dd4d5b80111c42296e5956d9c2b35a9f9

                                                  • C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    ac4a2a44ec1793897ff939569dd95b63

                                                    SHA1

                                                    387f956ee54fe955cceeb6018b00ba986e703994

                                                    SHA256

                                                    ec5a8d225d1ca0092ac8e58ca810e1f28c005ce4484cf840c16f8a16443090b1

                                                    SHA512

                                                    3aad09f78b2eb7d0818282969e669511d6146b20f8a6e1d497f4a45821d5abc22548a9f363a2e5cedacced806ae49411afe0f5526cf209f93d55bca86164ec0f

                                                  • C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    930b88280cb7e8b65a136df405b37b49

                                                    SHA1

                                                    79b73b5b75a8ab092ee441ddda6304cb58a1da2f

                                                    SHA256

                                                    bf4fa84f883e39044258f79392cdf0f031ee4ef7b7c656159ce1954d17507a26

                                                    SHA512

                                                    20ecd21a58cc82a4d2de547f9e2a96d67ae2c41c7c5bbdbbff1ff24410efc1b11c03b193fa3bf1b39bf2a46f0fe226a2bf6faa076288c01f710dc3928f9d053e

                                                  • C:\Users\Admin\AppData\Local\Temp\TarE555.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    ca1fce37237138217c1cc66ec2b0d844

                                                    SHA1

                                                    e62689dc79de9a680fc0b5c52f3615d67364a6fb

                                                    SHA256

                                                    efc1a400bfbc66cf4787a7c62baba978545b517c6b616f18312de2d44e6927a0

                                                    SHA512

                                                    ba66d202f49515d75b7d4f2375eda09d6837fd9f1c83cbfb9966b90cc8d56cc01ad97d7e81ca7ac100c8ea979a2704cd73ad684eb90a6216a53387a5565d6352

                                                  • C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    99c79beed9402a802f3f2d614ad87280

                                                    SHA1

                                                    fc1cd3a25b50d9987e5c6094d73404e8335db261

                                                    SHA256

                                                    77a7ab7172bd3f85005445f22359ec54a0cafe4d343657744dbee38fde1eeec5

                                                    SHA512

                                                    fa6406e9365bf95cac3dce6d0b4fa0d49ea3f57849ddda7d548d5c3436882a1ff9852c2b4ac2ed0885a0d1432b5b03bc94fd1e651e3cabd865235dd405fed683

                                                  • C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    c7ab180c59fb0d1fb65c6b4c8eddf89d

                                                    SHA1

                                                    71377b388b8feb3831653d33180ed5a888409f9a

                                                    SHA256

                                                    ee90fecf035e899f7b2adb31668499438897de6616bcb798dde32d222854727b

                                                    SHA512

                                                    5f4a53d3048845793f2c28b8eef3e09a43b10e95ccd8d5cb2d37f2512480a7244fa105fa36f980d5dc66f7599e9946fbd8e737dd5960d5f570eb8728c1ef9f7a

                                                  • C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    d5179dceae8234681c754cde39641566

                                                    SHA1

                                                    909d7214c976ee5cac24f7316850c6372aaa16f9

                                                    SHA256

                                                    a7be4d6b981c6f7d68f413da95343690fa701263cfa0ce5c61629309ca7d9154

                                                    SHA512

                                                    5847de289e3c50e9652339c9a3362c5ab21d3b6dca3d31275d2f1a81ad3b6737fdd509aeef0341c6eebe75c4f74a84f463c5ecc26636b08c64019953a003397f

                                                  • C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    4b25ccad1944af09d0ff035c781f9a19

                                                    SHA1

                                                    7cc8b1671d72bec0ea5ba688fccca9f13c43c2bb

                                                    SHA256

                                                    3b11bff87730453e0b3e6d458951cf76dbd7c9c047e8e1150dc4f180a19557e4

                                                    SHA512

                                                    c83004d19f396be69a933d001ed809112872a68ce6d74de7f91e6960bc00da1c605f87fd7f7974f6238bc6628b8acf258b4f690dd4ace2d64dee806aa205772f

                                                  • C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    04a11333c67f3b0b264ff1671884d69e

                                                    SHA1

                                                    e45f313db49430834fb785f05f94c23b3e52f37e

                                                    SHA256

                                                    43b22352a5862b3fdabd63fbeff96b31700c8e9aae3d23864432cb0a36ce6f02

                                                    SHA512

                                                    c6af749988f1f16b9144ca532c8570d8b74c38e4255a36989884ed0d3384dbbf2dddda27dcc1d3530626d89855692dd2164a26242392d77a16b20530c612c902

                                                  • C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    50fdfe93f8836cce5ba647e7ed19f5bc

                                                    SHA1

                                                    430d5bb584beba0beda715c0b7f6a96e5e0514b5

                                                    SHA256

                                                    7049be576c4755c33d5e0fb85b98984fdf06ad92d6876ef6f30421f18aa249e3

                                                    SHA512

                                                    655dfe7dcd1c9e4685e93aa1c33cb734ace837e9c7be92017ab668939419ef50ed413e6286e467ebe2bf7eb60e226382ab4041faa83f685a85003162330f2a35

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    b5e308aabfd2b35152bf29347c7d0f03

                                                    SHA1

                                                    b805a1e5e5be9b22a4ca0cf39e38bc98b9d31842

                                                    SHA256

                                                    2b5550bd0c0977b8762a08c2e9bd834fb0b4d4c22992ee28073a99a8b96602af

                                                    SHA512

                                                    5e68ff09a6a74ab6f31c6c75a22c1323fbf742e2263d3c0148d6c25db1d534dcfae4f0afa917367c200f54cbeb4960f335e8481c12408f92b1824d901f0e034f

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • memory/404-360-0x0000000000170000-0x0000000000280000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/440-601-0x0000000000380000-0x0000000000490000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/560-180-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/560-179-0x0000000000320000-0x0000000000430000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/564-420-0x0000000000940000-0x0000000000A50000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/668-240-0x0000000001070000-0x0000000001180000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1444-79-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1444-120-0x0000000000520000-0x0000000000532000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2064-480-0x0000000000AF0000-0x0000000000C00000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2360-783-0x0000000000240000-0x0000000000252000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2360-782-0x0000000001240000-0x0000000001350000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2484-540-0x00000000000F0000-0x0000000000200000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2484-541-0x00000000002A0000-0x00000000002B2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2516-59-0x000000001B560000-0x000000001B842000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/2516-62-0x0000000001E40000-0x0000000001E48000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2540-661-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2732-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2732-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2732-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2732-13-0x0000000000B80000-0x0000000000C90000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2732-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2824-300-0x0000000000080000-0x0000000000190000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3000-721-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3000-722-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                    Filesize

                                                    72KB