Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:11

General

  • Target

    JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe

  • Size

    1.3MB

  • MD5

    551cfa4d6d3eca2368ef1b322a061de9

  • SHA1

    f87ec1fb32f1304daa31f1ec87edfcf5df6ed063

  • SHA256

    583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f

  • SHA512

    f580b9984b0421d8cd104f1f6969361cc227e74f9765c99a8dd6a09559d43a1ef132973db877d0680d9e6c9adf434f0bf9752b1db29a6733cee184ae14115e46

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3zRe6kLImV.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2980
              • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:884
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
                  7⤵
                    PID:3028
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2156
                      • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                        "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2668
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
                          9⤵
                            PID:2340
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1436
                              • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:936
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
                                  11⤵
                                    PID:908
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:1968
                                      • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                        "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2620
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
                                          13⤵
                                            PID:2760
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1008
                                              • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2420
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"
                                                  15⤵
                                                    PID:560
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1804
                                                      • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                        "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2604
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
                                                          17⤵
                                                            PID:1648
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2876
                                                              • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                                "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1800
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
                                                                  19⤵
                                                                    PID:2660
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1872
                                                                      • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                                        "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:544
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
                                                                          21⤵
                                                                            PID:1064
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1612
                                                                              • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                                                "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2712
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
                                                                                  23⤵
                                                                                    PID:1736
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2512
                                                                                      • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                                                        "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1672
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
                                                                                          25⤵
                                                                                            PID:1968
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:1556
                                                                                              • C:\Program Files\Windows Sidebar\de-DE\cmd.exe
                                                                                                "C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2900
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2172
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2804
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2728
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2508
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2540
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2976
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1384
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1080
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1344
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1576
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2016
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2824
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2828
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:596
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:272
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1168
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1232

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    c4f914c75290a041619075ca35ffd925

                                                    SHA1

                                                    b62ef7e9813cf8b9accce29bb0c85cf8908b92d1

                                                    SHA256

                                                    5183671d3556fe363aff27775b0d3707db82870db43865c22a1a48772490bf3f

                                                    SHA512

                                                    28c1ae0d6367a03ce6cb215bc178a39b31a921e82e2805703f36ce7e26fde1b5efa13eacd29fed4666fd2dd1087a4c6bdee09dd520da966a27b11d623ad6ab23

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    0e79f4c680a275dc1ac9b41fb8177174

                                                    SHA1

                                                    9dcc675d2da050cdcd06f1476e67264cff75324d

                                                    SHA256

                                                    c338dacd46090de2f8dabf830a3aa0d50d3f5908c9e1f5f37967ea3612e3318d

                                                    SHA512

                                                    c29d8bbac8f5cf5ba33ccfcfc413a45cff4c097cfa464b0f259c5e1b1cd34721ce2771995b3405d8eb862fa31520c3b4b02f3d21b064b9512673050c47605612

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    67dc2114b279166dabc55693c1330cdb

                                                    SHA1

                                                    af06de2b9b4dac83e781d1d84e4f157a83793c3b

                                                    SHA256

                                                    2a6f03aa2b93f565353ed05f21693e3d51eeaa642605c183daf81dc9877aecb7

                                                    SHA512

                                                    c3d3fa912160a0648bf023ac734a0d0acd828374ffb3d8f9ed7663f1f1e9d0977b450533e440314f78b69d2a5c7066704e7b2761f667a1c3903bd5da2b4ecdde

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    fd34ea5ed23eb6c1fbb1df00290ee0b4

                                                    SHA1

                                                    a9e19e7b0fc4b55df70de39d36c6e1eadb3fd772

                                                    SHA256

                                                    1df918b27fa5a21c8529d752c4c3b86b1db83a642b76725c3caf0e22af3e8967

                                                    SHA512

                                                    910ca5a6adcc6f22e9d3552cc82ead255631df654ca459b844ad64b6788a6dd15e0dddf5d2a72c1bcf78cef7014da9a80fe13baae20c3993cabc97f082f91fa9

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    e18085bfb19f98b4079a7d61d6f73f89

                                                    SHA1

                                                    7b77c8178fde50ec92c9cb8758dfb280f74ac270

                                                    SHA256

                                                    e738dab4c00b7f159475a34e5319a3016c63d07a1f1dfad9b264935517f7d574

                                                    SHA512

                                                    fc11f17cfed6df63c8ca15122c787c63d84f955d4a21be9aecdbf1ebb7d1f70971db721fcb2b11ae1454bce0dbaf07af826b7a8ff7152b378655f62061f80d2a

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    cd64487b2fec381d8e4fba7a23e5b260

                                                    SHA1

                                                    c1ee05326f3a6d5929f3164aef41fbbd95674092

                                                    SHA256

                                                    ce57c0687b3b59f56bec2417f1ef432b81a9bb414d19d1ac960f2286ef9859b5

                                                    SHA512

                                                    34d2e900d0c231a336962601cc3a33577786d9378ce4c6215e664facf76bbe2b35c399522320a66bfa8ccdd16ecf99a8989cb4b0b96d1777e7cd17862f5adda1

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    ab7b371c532190e17ab1f3a7e6f92c2a

                                                    SHA1

                                                    7dadc1ebe1d521e8c6e47e8a7215f0a04a952ea8

                                                    SHA256

                                                    8db074f83eccd0b4ee91d63f4046f2759bb0e02dd09965afa06223ee333405be

                                                    SHA512

                                                    9ec895112d69b4f36631eca92d685fbd8d5c3b20872678eccfa138e70b4b579b7c9739e41098e55a621337ea5beeb4d8e088d8f788da2f4c437ffa8b6f271de3

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    adea10789a6e26f1e09700a7769cecef

                                                    SHA1

                                                    6b579f5345b6fbcfc6a33cb4c928070c7ded74c2

                                                    SHA256

                                                    92ac9a06693476db7de9bab65168a9a6e689c3c5e6195089d258ebba109453f1

                                                    SHA512

                                                    3ace940b914fe09c36d9c392240f0bee7862d0ec248d41b8dec430c51610da36c6cff7f22549513440fe5113c38a083240467aa103b6ed13e5101a23c15785d2

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    35928abca8d7be29b6746ed946a4e509

                                                    SHA1

                                                    9f64332731cc885189152f3d060a7a7e8c5a6856

                                                    SHA256

                                                    b44c2db2f6b0de7d0abd747099ce9228a68cae33f845ff07146088d2a7f05138

                                                    SHA512

                                                    2cefb6d336148acb24a17ab4df077a3bd78ebb99db021ef03a01966ddea2b853d7d8655fff6d94de6867ddb6d01554159fca3fd11f14f2a993d755188a4e443e

                                                  • C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    cfefb0e720b98d318f3721a89b4e2aa1

                                                    SHA1

                                                    996a15003bc9eea3272e134d64e549169e7179c5

                                                    SHA256

                                                    4c5152dd862826606b4aebaed0434da0627c1973d8a567a4d5149361d2012dad

                                                    SHA512

                                                    6cf40d21c18cc10a6c793d862bf63c2170d05bf07df8609fce04911a62416418587f89e8105faf7667d60d55be140ce63873db10110dd8efa7d2681aca9bfe88

                                                  • C:\Users\Admin\AppData\Local\Temp\3zRe6kLImV.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    bee8b25cb063c5971a6877e1aa348664

                                                    SHA1

                                                    94e8a7803d5e2bdc74b0b0f98140e43dbba79f7a

                                                    SHA256

                                                    2b91a594aa9fff6a36dc18de17c29aa708adffd231d4ce84846aa254dcd57148

                                                    SHA512

                                                    7d7b43c325bb3e663fca4cb506ca70e026ff9a3cab710f3f1737db4921b14739d4030f9546a9093d7c403ef02984785feac6b2cbd8425ddb98d38a8dbf39e197

                                                  • C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    9236b2a8385b9db43af193a7f22849b7

                                                    SHA1

                                                    0d9f67e3901fe89b7d89850ac00fd4012a76ddb1

                                                    SHA256

                                                    0a47f3677601987d482499d680e473f66823cb6b4eefc737144f886c127a905b

                                                    SHA512

                                                    7dd11807e7ec76b106347582673ff9a2e41e556f3acd5267a624ae8166dd166e89538c61c15acb77eaa3bb98f808288506fa79de233036444e398853feeb00f0

                                                  • C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    0b136734df40807bd1ab96fca2591ca7

                                                    SHA1

                                                    02db6995345e7786b56e93f5091eaacdcc53511a

                                                    SHA256

                                                    b8f1e3fe55575a0ee6a43c9097793ae372df5a12200b3a0be7a670da6b19040c

                                                    SHA512

                                                    8a73610140dd7dc2fd3e66ce27c3ded06720103e45f2adcf83e2d893dd6fa64f490e2ff079ed4f7592853cefc47a548516cf4e566bba336b35130d602b60bffe

                                                  • C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    101187cd8c7e13ce683c1c9375435d77

                                                    SHA1

                                                    9d446f7a81b588f4e59dc09dcd088fae10f0e1d7

                                                    SHA256

                                                    c0fd6b9caecd8853f541fbf56c01be6c8c7b3cb5d806d7a06becf66635ad5b24

                                                    SHA512

                                                    b25fa272a598b5348d9a17f662e84a012e05a93b7671ceb6977f7d01e9a0289968af47296f9372470d680d1d758309f5ff187ba389eaddec62e694efb1ce0b40

                                                  • C:\Users\Admin\AppData\Local\Temp\Cab3E9.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    5c41b03c2f7c9df0d403f7556e812b7d

                                                    SHA1

                                                    947f2dc754ecc572afcc154749c99c7bc8aa49d6

                                                    SHA256

                                                    355ab0e16d8a88e0aab69392175fedcd9cb3d46a79a80a00c245fe988efa80b0

                                                    SHA512

                                                    ad4fecb775e108b0ac96d590803054ca9e1d08c7ee586b97260ab30aead62694276ee91360b326c14cedd9bb2b3d7a3608b18c1c5609c06f45aad452a0393111

                                                  • C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    8ae900b24a7c7d98018bb6ee0ad0590b

                                                    SHA1

                                                    59454deaecaa185748bb6943064bc8c92254fd9e

                                                    SHA256

                                                    00520e42bb4a00cf5fb9dd87b07bc1b3a73ef6ea69ea3d7f5c6567481170b4a7

                                                    SHA512

                                                    8d8c49cd96ae52d251b26aca52ff61043897d10269c5e8729f116db221072bd0beeaa7f2f9416436541fa796bc85f6d98fa77daed4b55f4d42e8183906203068

                                                  • C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    122e4beaa485f3ae8cc5da9178ca18ea

                                                    SHA1

                                                    de921c4f617183ac4623e01a8a39395e0acf5eee

                                                    SHA256

                                                    ff6180c70123625eaf02dca1f95be6d82dd0b8d52944a3c5c4c899026dae5480

                                                    SHA512

                                                    c4872bd5169d9a6f3db9dd0be77bb7f2ff74eaa321662956eae130d4a479f6dfc02a9e12da0923beed248144e6106943071d878fa466b60779fb41ea38b458ee

                                                  • C:\Users\Admin\AppData\Local\Temp\Tar40B.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    40584d888cc1f2c8a25600eefc384dbf

                                                    SHA1

                                                    cb596c9ac46b529232b6cd9582906b1a8949d234

                                                    SHA256

                                                    07318bcc2e1475334c93c11e33a5c46710c32a9eba0dc0a6a06bec5cb954c4f9

                                                    SHA512

                                                    cb151664e93070796f1b0c944afbcbde67644dd38efa6d02f31228036a577d07f07b9a8a6937a0b79ecb064d48219c64cebfe83c2b16ddd6fe66ec2407f92529

                                                  • C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    15373896f5db827b35caae17cac2363f

                                                    SHA1

                                                    bd12d7dd08c2fddbd2df9cabd7dc251cbdfc7327

                                                    SHA256

                                                    08af8ce0cb61425b24dcf8ca6cf86c2f5e8ec6600bb259a0a79756ccda8a69c8

                                                    SHA512

                                                    d26a76e166160aabfc151dc401e2b6e6abc0e16dd9355fc4c9f6858aaac6d4d576f99f7c5d8847fe3880ed15adcd6062e086a005dda0ca017fa5498cf06b6705

                                                  • C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

                                                    Filesize

                                                    211B

                                                    MD5

                                                    4829de25a93da5b17854bfd5ae3b914f

                                                    SHA1

                                                    059791f4ffb534d8d18dc79a51b52613d5038210

                                                    SHA256

                                                    be90b09f7666a1b1eeacd40c80ba5319aec1c2a1929b53e277a51da10e9cc5ae

                                                    SHA512

                                                    27606a10dc793209b3a60c53d009cdd860e0b8926ad45d8bc5abbaed2fa93bb2124867b1e5b37389f587bdf00fbd14d47f0adb027d73f2956f435b466cb1ab30

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    1670e058b6a6ecde7901908b7ccd7529

                                                    SHA1

                                                    69d42e02def541a93a674baba2d4747f207d890a

                                                    SHA256

                                                    6b4fa2e6e53a385c710314a2001c8f697a1766f9d9aa951ef1c2e0f93443ace6

                                                    SHA512

                                                    338429f8811567a9041f0d38ae4727361353bd07cacaaa46d685abe4b3ece2dcbc1e7b67fb2ad80c725d969f0886ace0a936b148349e5875a48c75f1f48521d4

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/544-541-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/884-123-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/884-122-0x0000000000FE0000-0x00000000010F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/936-242-0x0000000000090000-0x00000000001A0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1460-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/1460-17-0x0000000000500000-0x000000000050C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/1460-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/1460-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1460-13-0x00000000002E0000-0x00000000003F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1540-59-0x0000000002060000-0x0000000002068000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/1540-58-0x000000001B4A0000-0x000000001B782000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/1800-481-0x00000000012C0000-0x00000000013D0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2420-362-0x0000000000D90000-0x0000000000EA0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2620-302-0x0000000000830000-0x0000000000940000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2668-182-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                    Filesize

                                                    72KB