Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:56

General

  • Target

    JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe

  • Size

    1.3MB

  • MD5

    b9f158cdb090e31654547f8c954c96ff

  • SHA1

    dccaf2a828ce17f06ad7b06f00bc8dcf6eb4e07f

  • SHA256

    70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f

  • SHA512

    5e351b13e61ea84466f78d7d0ed5a8b0133dcada471c84c31a294151f5604cf9c323be0b712814107b08f21d042f69f0786439479add1893cfbc1b70f1c6d431

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1160
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1300
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNilxF3dNP.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2176
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1668
              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2856
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
                  7⤵
                    PID:1716
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:820
                      • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:672
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
                          9⤵
                            PID:2864
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1932
                              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2984
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
                                  11⤵
                                    PID:1612
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2180
                                      • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2040
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
                                          13⤵
                                            PID:2748
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1700
                                              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1004
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
                                                  15⤵
                                                    PID:2084
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2524
                                                      • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1564
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                                                          17⤵
                                                            PID:1552
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:1576
                                                              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2176
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
                                                                  19⤵
                                                                    PID:2004
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1532
                                                                      • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                                        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1748
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
                                                                          21⤵
                                                                            PID:1608
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1128
                                                                              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                                                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:580
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
                                                                                  23⤵
                                                                                    PID:2888
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2796
                                                                                      • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                                                        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2868
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
                                                                                          25⤵
                                                                                            PID:2728
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:1344
                                                                                              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
                                                                                                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2652
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2676
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2540
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:844
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1652
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2368
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1200
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1516
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:564
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1596
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2944
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2396
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2304
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2400
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2392
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1484
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1540
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2364

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    0baac3adb6a29fd77aba15772801541a

                                                    SHA1

                                                    ba0eea3515af7d40c2c682f80b9a8c0045eb75c5

                                                    SHA256

                                                    b01fac642de0e203cfa12d68e12ad0779ab284530e63811711ceae3aff14aa52

                                                    SHA512

                                                    d721613007477c08bd8cf40c5febdf06042e9ced222cc8d1b5220908592b43fb04a6f31732130147f1a35ba639eb59b0dff8021c012d5f28d8c67756c8a1fd9c

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    672d52332335670d7df2fdcddeddf1e8

                                                    SHA1

                                                    60cb1ada72d62c76310fefee280c5341c021fb47

                                                    SHA256

                                                    f14efe72ca9654513135ccc9823e72e3231f66440cecbf867c91ed981942eee5

                                                    SHA512

                                                    b176138c16a462a2851d0fdc56d2f649047a70fa6a423c7bf3c440b5ae77c1b5aba02c0f76c4c42097a29845fc7b4dbbcfe573a4c979b5ced126af2323b356ca

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    f7ef1a22e991b9c7369dd707620e698c

                                                    SHA1

                                                    2fac09c99dbd419908c703a4c2ae6026101de418

                                                    SHA256

                                                    f6a450b6f19252013603be11da221ed1b75d8fd321170adb66188356acecc0ee

                                                    SHA512

                                                    5367345de2e8bec41d601cdac05cb29fc0e7fbd7e5e03f10c1c272f89c476903203c505e4ab8e361a36995db30e0378ee785faa47ce4be9f3b68ce8afd317b9f

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    e5e72829d9bdef786a5387821e71d64e

                                                    SHA1

                                                    bd4bd49e0b1c0b203cafd2022053ab030463565c

                                                    SHA256

                                                    4020fd62c80f096f27faa5f411e4d8243c078136da8f7da4b7a0554895d068d9

                                                    SHA512

                                                    2123a1d6287e9b7a65a659d77ecf34f7f49fa0c6d77422326dfe28bed3ebb6f65a7871b66fd71789673beefa1600168778cf47057d1a153f24f951df5412f32d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    9568d194776f85c9be73840156f3a224

                                                    SHA1

                                                    da5a1734d9269557603f6c868324dcfbdbb437d4

                                                    SHA256

                                                    e5e3dca30e86192e2aef71c53f39f7ccb6cb10430fef2ff419a7e71c75dec037

                                                    SHA512

                                                    61b3e0e18379c9c3b121ade016b99fa3808fe864fa01df9c0998f7ddadc476787645ae5ddc58fbc894c8cdae61adb01f894bc5b2fb78a18927f65bd9da8d0994

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    323c255c122e3f79332ea831155323af

                                                    SHA1

                                                    170aa8e3bb34b2221e98f97d67d982d5d4e0cc10

                                                    SHA256

                                                    a9d949cf41ecdfdc50e4db53adfce96d5fea78cb1fa86a50f1c542baea422cb8

                                                    SHA512

                                                    a9051ad3a161c29fe8b284ebbd77602bf93007a8fe269d5d525b3cd75e2e22e30384994797dac6e042f0b9fd563c09afc9f50c845e481295679e2bbaa40ead5b

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    708fa43cc0d1924236cccf0f82997c8a

                                                    SHA1

                                                    10cf82f7071d83f5634614ca374ff3f9c167be89

                                                    SHA256

                                                    932502305fdc5b11146c618c3909df23aa10fe58763d432cf596fc50843bec6c

                                                    SHA512

                                                    e6555249e9ce3a7e66cc53e5693880928ce2874310f20f74399e0e430a9f9397565e4b98eba0b23b39160658c6a2a78aefb2f1c04f7505082a8ff12bc3b296ca

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    2d1de8be62d20ef3b4582817892a8ace

                                                    SHA1

                                                    cf91df03266dbf47a4bab17d792c0837eadbdc8f

                                                    SHA256

                                                    1e87b895b85b77a23691298e8023cb2d851a4455bf5828939dae825ba2effbbd

                                                    SHA512

                                                    9c7a3d489919c00e082e8c81f6163f3677aaa98eb4b0cdf0ae4bd8e69af62bb338237fb66affc4aa5bb2fe670e4d2be20c5f90e2b0814f6fa5fb53457bce4f4c

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    7cc6b9504c9be1fc55a74fd7e3c96716

                                                    SHA1

                                                    08a2badecde7c6bf6c236fe9205194e03ab27678

                                                    SHA256

                                                    457ccd890f7db377346a9e1e23bf3b4921c032370d706c2b47d0b8fbdc78edd7

                                                    SHA512

                                                    001ae37a25cec6644ef6f109dde486c7f3dc1d2b0b144ebf982f2b1d96e61aebc762b36ce55c69dca9cedde2ec86c2fe0cdfac6c380ee4cbaeabf883ce00bf9b

                                                  • C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    1dc1912dffc882ccecb241be729a980d

                                                    SHA1

                                                    764e2900da73a9cb2febacb7af5ae026108dfe17

                                                    SHA256

                                                    8d59f8544f701a00322b470134d001d4824063a7325a96d9f6e10984f8bd2e15

                                                    SHA512

                                                    a8e304abdb35b1e535ed11cb00b31ed542e9717c85e79c1d9e261269a986a26d364552cbfeb16cdc9674c4a51e07329adb9ecf2b88946281aae4949d97c7855d

                                                  • C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    bba34a128b44032a918e712a153154b0

                                                    SHA1

                                                    64e6b80fa496022f00f35600ce0d19c2b6e0fcea

                                                    SHA256

                                                    b64082b44e0c1161a17bbc520e051a395c0e30af16665fb4896dd3c6d2bd74aa

                                                    SHA512

                                                    d89ae46b7987c18d130e4e94d5f36836eb59c928219832a1e06c055224d175108be9d3476085bf3e0274cca757abdd3b879ed90f45c6ccabec87fd629871dfad

                                                  • C:\Users\Admin\AppData\Local\Temp\CabFBC.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    c9aef1a16f06e091db288fca80343b09

                                                    SHA1

                                                    1f83d0c061a7cd23f1a05ff9f3119f020ea026ef

                                                    SHA256

                                                    84d329096d64f163a7fdf5a2629618e8fdf70a54a90bf810283215d7e0c6a322

                                                    SHA512

                                                    0b1a15fa7e8e612cbf846180e3c82ec4e2bd439dc13cdb3b5e762dc51464067c857d07fa98c823e0a37775bdc3b195d4916a2eba410d189e65dd9dfa0f29ba81

                                                  • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    47c23df1cb122ca6bc6880b779f388fa

                                                    SHA1

                                                    2b15ce23115dbd52822a21c3172284a9f44ccff9

                                                    SHA256

                                                    82f022bb8855978b011320fb372ad8da980a3fee01a5516297304995bd1c965b

                                                    SHA512

                                                    036602bc660f2410a36f0306d2665d96099791082427fa03b40e04d00d0b7b47f6c5e00797f50b01134a5d02f756f749fcd8dc88c46025fb14d6d564aaf2050e

                                                  • C:\Users\Admin\AppData\Local\Temp\SNilxF3dNP.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    7b297320726c397b15917549dfd2c49f

                                                    SHA1

                                                    d3c463834fa80451f1c9016d1b045d81b01e2a4a

                                                    SHA256

                                                    2f7e7edb55b9e8c61413df4b838ae0b424da45a8de6a868c48850b645bf98b9b

                                                    SHA512

                                                    3d8a71d048e1ba4d587894c7fe6e5c0c6bb564ea9d01cf30480d41cefeeb497aec995c7a343793c179a3f9c00e1986c4e5cd137328323d9c4f6aee86365433de

                                                  • C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    6254ea7f43cc5a9fb0d40e891f00202d

                                                    SHA1

                                                    2322d9a662aabd66d1075df08efa2aa515d01879

                                                    SHA256

                                                    c1f2c971dba4f446a7eab194a274f379cfc98d2286ff63fbb455f0034d0e9471

                                                    SHA512

                                                    50e506f1cc468f7477f26f3687e14f0a1e5b109115a42a542bc4cd249a1246f814f887e409e91e498ddfe6cd2ee0f4ee6d50cd7607867fc8586654e1085299d0

                                                  • C:\Users\Admin\AppData\Local\Temp\TarFCE.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    46d00df5334272e95cf2bfbf658b1a63

                                                    SHA1

                                                    cb06d9bdfbc31ce10ed67e238d0fae8083214620

                                                    SHA256

                                                    97c09b1a1d4b038502877a2925621ee2dad41556138f80c283d6caaa331dcf11

                                                    SHA512

                                                    7382e076efc908d74a8415375b2af119569087a3018e7118f5503ad4935a887a47e0a2bbda051c6543b1a224a07e3ac30baceba5840aaa32f467e0cde65be86c

                                                  • C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    c773dda29d2165ea3fd726eee1fac2e0

                                                    SHA1

                                                    2850dab18a49b3bd24ebb815a528aff28cf7cff5

                                                    SHA256

                                                    bb978b17f651a52e65c3b2bcc689b6cb92f241193c4f7be3614ab31e65d54989

                                                    SHA512

                                                    6aa4d1659c5abff437fe77c4517e548a958798fd102e46d7480a5544b7fde759b5a7d6a1175037ecf339fbe8db8e038e5bf3539c047e66b16a38dfc1f675ebcf

                                                  • C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    b80710f5e9050b729b157b92cd18ffd2

                                                    SHA1

                                                    630c6100bdf5a0a9c1f5462c22e260688f524255

                                                    SHA256

                                                    20a31ffeeea6345a333a5629d77f8bfa8da06b260973204ca61b3adbab031585

                                                    SHA512

                                                    8458399e1ab8b27c4e4b507cc246acf1d55ad8a2a09594bb6ce622580993480dea62ec553ad6b1eedb493ad573fcc0308f276c40b6cde1c3a5e3b420fc41be41

                                                  • C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    ec687a0007ffab5be88bbf6f46657219

                                                    SHA1

                                                    858ad899063ec81d3987a009f5c89e301b5a1a71

                                                    SHA256

                                                    03dc884e567d4568d963c66b3ffbb4f74db1ade4aafc0f40d3c62f260715b882

                                                    SHA512

                                                    b56507439300e995237d92b9543aa1bb18cf74a305e6e8515c056398c4fcd70825928b5a42333b4f7732ea2d584f5e49129f914325e838f64a63dbaae13a3977

                                                  • C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

                                                    Filesize

                                                    221B

                                                    MD5

                                                    ba3903fba2fc8ee3041b2e665fc7e950

                                                    SHA1

                                                    105ad937931ba27eec07a3c4da40da22992d56f5

                                                    SHA256

                                                    38fa918eead9f384cb886ff067fc98d745255da174cef558cdc8919d1c0f224d

                                                    SHA512

                                                    6e2b505317ca723e0ae65f807a1df4092c2fb12e241c6127c0afd8a48a4418112709fddf98aca7570138319de08cce5e150fea7f94ed2993372ae5195a116968

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    d6771cf88cb0a170a847ac8d5c9408f8

                                                    SHA1

                                                    507815d7e616a3c9683310c942faf5abf7d810fd

                                                    SHA256

                                                    c335a24e5fb33ce93d41a42bb490c715651d175b558d5aec58276da8ad73baab

                                                    SHA512

                                                    a4ae7194a37681f30cf3426167dced827be4822ae31aadede4c014a14419f21e9786affcd61c127c6d0f7a0ff4da6b1fc0422cceb9b826e96913847d766c5049

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/580-601-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/672-178-0x0000000000B90000-0x0000000000CA0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/672-179-0x0000000000340000-0x0000000000352000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1564-419-0x0000000000150000-0x0000000000162000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1564-79-0x000000001B620000-0x000000001B902000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/1748-541-0x0000000000350000-0x0000000000362000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1748-540-0x00000000008D0000-0x00000000009E0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2040-300-0x0000000000140000-0x0000000000152000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2040-299-0x0000000001320000-0x0000000001430000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2176-480-0x0000000000250000-0x0000000000262000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2176-479-0x0000000000120000-0x0000000000230000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2260-80-0x0000000002230000-0x0000000002238000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2776-17-0x0000000000570000-0x000000000057C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2776-16-0x0000000000560000-0x000000000056C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2776-15-0x0000000000550000-0x000000000055C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2776-14-0x0000000000540000-0x0000000000552000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2776-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2856-119-0x0000000000A50000-0x0000000000B60000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2868-661-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2984-239-0x0000000000E80000-0x0000000000F90000-memory.dmp

                                                    Filesize

                                                    1.1MB