Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:52

General

  • Target

    JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe

  • Size

    1.3MB

  • MD5

    6cbced217d07e41727a7754225ce67ba

  • SHA1

    3b3edbb8773adcef702429d1fa9e70a993542a94

  • SHA256

    81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5

  • SHA512

    7fdeae1873a522ff033e55ee76fdf481a1504d2c7905ae73880488cb049aeb17cbea310a9cf899667d000556a013e2de2e5bbf0b77045e3834668c998f87f2d0

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
          • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2524
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
              6⤵
                PID:3804
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:3836
                  • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                    "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3876
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
                      8⤵
                        PID:3096
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:3144
                          • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                            "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3016
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
                              10⤵
                                PID:3348
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2964
                                  • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                    "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2020
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
                                      12⤵
                                        PID:1124
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:1688
                                          • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                            "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2016
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
                                              14⤵
                                                PID:2612
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2880
                                                  • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                                    "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3468
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
                                                      16⤵
                                                        PID:3688
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:3708
                                                          • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                                            "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3820
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
                                                              18⤵
                                                                PID:2600
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:1556
                                                                  • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                                                    "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:868
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
                                                                      20⤵
                                                                        PID:2392
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:772
                                                                          • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                                                            "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3076
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
                                                                              22⤵
                                                                                PID:2248
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2588
                                                                                  • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                                                                    "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2220
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
                                                                                      24⤵
                                                                                        PID:3220
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:1268
                                                                                          • C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe
                                                                                            "C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3312
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2912
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1948
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1684
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2116
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2072
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1164
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2948
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1244
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2220
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2468
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2252
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1124
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1464
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1080
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:832
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2064
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1852
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2184
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1712
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\addins\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1084
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:300

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  da2102c4810ccccf3a30087ae53bc2df

                                                  SHA1

                                                  6af53a98463a13ef5c3a63fde875cc75bc1a03b9

                                                  SHA256

                                                  40f46b378d6f464d697221095c5353f5ec757f359260e4e15e8477397b39e2ad

                                                  SHA512

                                                  adb2571486c008b33e8562e19901550db18b8ee25fbd2d83f82826e149792314e824a7aa2b83b7cdc33581fde4bae83e1e27d37abd7273ab7b0410005e6cf997

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  0297849132582d4ceaafa85fdcca5237

                                                  SHA1

                                                  88d98c173540632e9e6ab52d44b3a272b181598e

                                                  SHA256

                                                  de8f26dc1b3418e84d8e0fcf34e321ccc5baa921e91b3e90a0a3aaf270bc447a

                                                  SHA512

                                                  4db75a61c9a5d0682c9e8f64705b1a35ab17912a2d3f337fdebf6f4568d99f637726295dbc479a939681ec86829f961f209fa391855c8b21e839165c62a7b55e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  d4f796c733e6e15c9c62958bce099d05

                                                  SHA1

                                                  25a8d0335fe36f534c4a886acf039112c255c455

                                                  SHA256

                                                  3768c37c71dbb061e70a14c719d96e90bbf9c80cfb8f67d9a3f183641e783e40

                                                  SHA512

                                                  318e0a77a34dc5f75d59bf812e9d2c1948de11c036688aed48ad90a2884c01b8822ad75d4abacee6707ff57b791a6d2267ae451f7646819aaa123001d008d4f0

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  3ea7e70893bb6687a35a45225b9298d7

                                                  SHA1

                                                  2855127da28a195ff02cd02ab0d7d4c983b22bfa

                                                  SHA256

                                                  07ca822f7649dc202bf2ec741e4301c642ff4d92ab4f6ed99d941126716827ce

                                                  SHA512

                                                  fc33c83d3e826c7234223dff97b486946240dc67d7fb277c4b942caef19649b43a69ce7f467d4b3cfbab0289298d922daac76bb4614f5254285b52ac7583b7ae

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  c5da8241e686cfca7b7195315191e359

                                                  SHA1

                                                  7dd4a196ab4a429ec646968dd45ebc9a0b6e3bf5

                                                  SHA256

                                                  924eece126f2386efc4349a6160238d3045fcd39853413eaa0eef5ef7feedc8d

                                                  SHA512

                                                  43e0de4558e84e2b2aa3d868c53da6a9667975e0c98acee04221e681e4cfb0b30e311843c1abc66d394d01ad9c327a25357ad5070f32e05750e2dd1f2472b9a8

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  74c61a01f7e28a03e856f4c42308efc6

                                                  SHA1

                                                  44f54ad4bf66db9f92f0c7c340c11960673b0793

                                                  SHA256

                                                  99a3fc5f2e3bc557de82dd58d8a96ab65d41eb76b3c6d185aed832730a946ce4

                                                  SHA512

                                                  c930fc2cb34116afa49c03e830821eb0a5def89ed3c5d076376f252522083f14720d623eecdd7a323dd782bb09aa759cd6be23a0f4799f6b2309b2470b492233

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  f07e003b37ac41d23a88655a54f6356b

                                                  SHA1

                                                  1224e5ecd1a74b8a66e162902fdf139a39ef72f6

                                                  SHA256

                                                  f8e7c0c3a1d5684a1f4cd6209118e2b81d3f9142e4d655d7e8803722240734b7

                                                  SHA512

                                                  31c29608b59d4c2a1fc79bd1aaa4bb1768d7659477a012e46d6f74616699d399bad0abd76cef42997a6ee5150b0e9c679d48ef03a4f2cc5b8c584e8557d0696b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  bd9b7c7db4756bfc9e740d7604993045

                                                  SHA1

                                                  ad4f3254fa442dc173c460ebbcc9d62d4c0f5218

                                                  SHA256

                                                  101e7ff7c1db90d08a132c3374058f8674744e61d4f2f2b6737faaa999a60426

                                                  SHA512

                                                  e0cfa39f848662e77027f44c8b6936bf637373112bb31b0988bed95ee750c6fa423ac94cbf92a78482ff89993e6c6573312e4361c645c12b982731fba5d90ef6

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  cffa744045db22410bbb22f4b4367afb

                                                  SHA1

                                                  22bccdd65901648ab0457e66cbbc193c2fc27650

                                                  SHA256

                                                  f0f04ef002055a4deb4145ddb4127ebabcd6f2497652e28aee4aec7e3bc1748a

                                                  SHA512

                                                  c8d2c844840c005ea42530bdf6e481c88fbd54c777dc7bd466a2ac29559add124269bc9a4be59d3649f4d9e96ee1fe5074505cda8728263a940ec53923a61767

                                                • C:\Users\Admin\AppData\Local\Temp\CabCAC0.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  2dbc40f54d10700c9cd21f5aad653d32

                                                  SHA1

                                                  bff6358e2a4d3572691fb519aec5dc71a7e9c899

                                                  SHA256

                                                  19286a867777d6cdbb29af536caf3775161896d4fd1c59cf8e9268fbc30fd96d

                                                  SHA512

                                                  c6161771d04b75e1299c00f86b9de349b3fda44b3c78745bd1d5d407b66bfab2e5d742d6bd8e2c8e5883e160a69477c6b355ad38e85c2c7b65387ec39a87c2d8

                                                • C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  cd788331c0194e60345c4bdddeab482c

                                                  SHA1

                                                  2e8c760c1f948ddd595e2de35e7da122fc8bbff5

                                                  SHA256

                                                  80d25f19ebb52ecce030460b1c09f32f411dc4cb03a6ad5a88f1ec20e594059c

                                                  SHA512

                                                  17a55f8a4442309989b65cf56320653e81ebed83b083dc5ea479866063f981733701ce03f1c87b5d5780e76375e5d0c55f6e4b0feafc336c0596e4b981a8b832

                                                • C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  0c6719cdb5f23c6f64940860c52dea54

                                                  SHA1

                                                  5edfa302fb8606c8f03f7611cc707cb1bd7c71bc

                                                  SHA256

                                                  ca4dd9c96d046cdeb4b21a52bddbd70b9c30de974751b544937547804f87c584

                                                  SHA512

                                                  4ce10ac6af1874def9f5243192f242f8ba0fd158a17a9d091c711747b845ba234df14a13816ae29e694066b8e75d4a1d7c1137ffe61f30a0339d9956382aeea1

                                                • C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  d5d1364b02ffa5cc31b451612785d991

                                                  SHA1

                                                  cae1d87127586607cfa7ee93141dddd90851c473

                                                  SHA256

                                                  eaa1ed254b3c022d90141d40f18ed3ecfee143bdc7fff717df28b893571862a1

                                                  SHA512

                                                  8c763852ccaf227a69ba47ef362b9784b3e133abe3250ff1c67058a4f1de8cd09085ca44ddb5d635659687d33d4d78845bf98b370c6b4aa5c5c3182da399ca37

                                                • C:\Users\Admin\AppData\Local\Temp\TarCAE2.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  113283e68801317882c372196df507ed

                                                  SHA1

                                                  7c181ed91b372cc8d74eb99646469447fc970ba4

                                                  SHA256

                                                  f23d6083e047c03c06d8a0284ddd5a4f94034b26e058fccd548c5ac11596fef9

                                                  SHA512

                                                  178faff86b396d3592e1127656a9f5ca5cae7c35905e364c20eaacfb551fcbe7b787b45143a4a696fa5c7dfff68c9868adafed9b042da5dec4589c6cccd7456a

                                                • C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  e1293437215700de5a28e634b97d0436

                                                  SHA1

                                                  af43cc1425ec1d4ddf61c0cf619b09daa11984ae

                                                  SHA256

                                                  4abc267d9ae43686962149c21c8eebe5925a86f152c6ad93bf7bc8e2f1c92b28

                                                  SHA512

                                                  9930f992206f44add7f67e924cecf86439d0bb168168ba7870017ee69b419c4f222ddbc6b94b91965ba1f7f4c9ba28678417a2f8cc9ec4c58aa8714be383e5a1

                                                • C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  a1bde383caa5ffc938e5fd03e1848c40

                                                  SHA1

                                                  aa4c5a8e0dfb9991f9f8273e1decf9eba32b4624

                                                  SHA256

                                                  a8cbfc03d40a0ec0e2cf09594ce81190e560cbb4f944ccba76ee69a68fab5d9d

                                                  SHA512

                                                  f9394ec1cab821fddd9ad66869c71a383426c396b0b782820c40f22a2527da3f437b596a42325bb1cb61b9758cb23652f7aa20f6aa2758df97d875f659d8d9d5

                                                • C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  236fc998ccd9dcf461886fdb3dda24db

                                                  SHA1

                                                  c821507313f9bd861ce264c11adac889a73480ce

                                                  SHA256

                                                  ad87cb32c538c55ef9a4e94a9d0e807db1ba2f5c3237e614ea778fbc9adfb12f

                                                  SHA512

                                                  3a65e612e6206c87898c1c9d3342a27174583f4d92d82aa467166ed3e7bf3b5ba968f178fb20f37b130535a2042bed8433ef7c115ed0679cb186886b20d6d228

                                                • C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  0274a29ce134a487d61355974c288dce

                                                  SHA1

                                                  36dfdc3d70bc1b283141d06a36f95731d452be4e

                                                  SHA256

                                                  f191c23e6a67ce4f202e1503f7fc49cbffe2457f9b7b5afa028fd0c4470e76f8

                                                  SHA512

                                                  795ebff8e39c681b4caa1018784cd6ea1290edb51ba4bb831f49ce90a94c709a6293bb536bdb81dea285f0d3ab2d580639d11a509a4ad6a5cf2d61dfc763b6bf

                                                • C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

                                                  Filesize

                                                  216B

                                                  MD5

                                                  73a620cb1e68dcca7ef98444b44e293a

                                                  SHA1

                                                  1dd89176f02de97d49ad4ebfae791c05ca46b787

                                                  SHA256

                                                  a351a9bd453f328c0212c5f54ef012d49ec64795d5a36fdbe66987a2950d5d0c

                                                  SHA512

                                                  b76c5f8b41f267bdf94cd115f85e013f1d7bd13526793cfa5fb7c076dc0bcdf52fc3625fcd57d88100ebc1def613e23bbe50fca104e25a2f748f9f0bf6a6d604

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  a325046d10d140ae068e1567ab2b63f1

                                                  SHA1

                                                  7148a19809a5bb7af42af73bfa3afeccfb3cabc6

                                                  SHA256

                                                  3c33a1b3b309720862391dbd3f82a6d749f7842bc658c775691dfa962e4f87f6

                                                  SHA512

                                                  951bab629f1f8e1ce3e5d3b1572bc683a3c71fbb8d658711c9c5a3f6512c9d3f203fa090083760d6f714a4765439a91ba06010a0393f33da763fb43463019cec

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • \providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • memory/868-570-0x0000000000190000-0x00000000002A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2020-330-0x0000000001130000-0x0000000001240000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2096-17-0x0000000000600000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2096-13-0x0000000000390000-0x00000000004A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2096-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2096-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2096-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2220-690-0x0000000001190000-0x00000000012A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2332-61-0x0000000002250000-0x0000000002258000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2332-60-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2524-100-0x0000000000030000-0x0000000000140000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2524-151-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3016-270-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/3076-630-0x0000000000F10000-0x0000000001020000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/3312-750-0x00000000011C0000-0x00000000012D0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/3468-449-0x0000000000260000-0x0000000000370000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/3820-510-0x0000000000350000-0x0000000000362000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3820-509-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/3876-210-0x0000000000320000-0x0000000000430000-memory.dmp

                                                  Filesize

                                                  1.1MB