Analysis

  • max time kernel
    144s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:14

General

  • Target

    JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe

  • Size

    1.3MB

  • MD5

    d172aa4f6623dfe370b0786e38f92cfb

  • SHA1

    07a5666f84bb475c39bbea4dc6b849bbda567e01

  • SHA256

    b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0

  • SHA512

    ba85afedc2e7a4cd207f5a50572a72c31ae6fb37a639985670092d3037b5509e55e8227e32388be99ead828a2930b660574d6f62e16ff2f36130e555b9701900

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:568
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2864
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2688
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2596
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2876
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2568
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2564
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2584
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2228
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oiLsI5McyI.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2888
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1716
                • C:\Windows\Tasks\conhost.exe
                  "C:\Windows\Tasks\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:632
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
                    8⤵
                      PID:2832
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2544
                        • C:\Windows\Tasks\conhost.exe
                          "C:\Windows\Tasks\conhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:888
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
                            10⤵
                              PID:756
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1576
                                • C:\Windows\Tasks\conhost.exe
                                  "C:\Windows\Tasks\conhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2820
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
                                    12⤵
                                      PID:2732
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:908
                                        • C:\Windows\Tasks\conhost.exe
                                          "C:\Windows\Tasks\conhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2740
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
                                            14⤵
                                              PID:1748
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1872
                                                • C:\Windows\Tasks\conhost.exe
                                                  "C:\Windows\Tasks\conhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:496
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
                                                    16⤵
                                                      PID:1148
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2176
                                                        • C:\Windows\Tasks\conhost.exe
                                                          "C:\Windows\Tasks\conhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2060
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
                                                            18⤵
                                                              PID:2868
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2756
                                                                • C:\Windows\Tasks\conhost.exe
                                                                  "C:\Windows\Tasks\conhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2448
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
                                                                    20⤵
                                                                      PID:2492
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2396
                                                                        • C:\Windows\Tasks\conhost.exe
                                                                          "C:\Windows\Tasks\conhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2188
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
                                                                            22⤵
                                                                              PID:2388
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1920
                                                                                • C:\Windows\Tasks\conhost.exe
                                                                                  "C:\Windows\Tasks\conhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2336
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
                                                                                    24⤵
                                                                                      PID:752
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1692
                                                                                        • C:\Windows\Tasks\conhost.exe
                                                                                          "C:\Windows\Tasks\conhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3000
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
                                                                                            26⤵
                                                                                              PID:776
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:1440
                                                                                                • C:\Windows\Tasks\conhost.exe
                                                                                                  "C:\Windows\Tasks\conhost.exe"
                                                                                                  27⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2084
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
                                                                                                    28⤵
                                                                                                      PID:624
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        29⤵
                                                                                                          PID:976
                                                                                                        • C:\Windows\Tasks\conhost.exe
                                                                                                          "C:\Windows\Tasks\conhost.exe"
                                                                                                          29⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1992
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2108
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1920
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2024
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1152
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1856
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2868
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2248
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2556
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1740
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:576
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2640
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1660
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:928
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:624
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1528
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2308
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1700
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1704
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1672
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3040
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1640
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3008
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1936
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1736
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2268
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:980
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1008
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:880
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1444
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3052
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\conhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2716
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1580
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2676
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\powershell.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2848
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2820
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2904

                                                Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        ac29dc62974a46408792a93072a9aabb

                                                        SHA1

                                                        a754a4813af95c1b516eaf9dbed52602d226fc0b

                                                        SHA256

                                                        6d177c3ba044182f4042b70096501b8b29df2bc1658f37483dbbdc0f09825f72

                                                        SHA512

                                                        ff1edb2cab366c77c1d85613b1cbfe74567efbb77c6dad9ab0a4892082b2702d7ba38db4220d57ce3a625ed804eb7ae42902ef89275872b758a33c03bc59ad33

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        639054c03c7669c50e4a0d867b225282

                                                        SHA1

                                                        270a5a0c7b8904516db7b84afc023318f0c37c80

                                                        SHA256

                                                        9e8d1e168631b37a78a7f6c423e10cfbe9532655f8503d4d6b99ee5842e2073f

                                                        SHA512

                                                        1a26b5469200c8090f18809e0668e104dbfe9d21f0f7d0e803f708ff8f356533ed863c92f0d06add63373b900e8a2479005f08a3d88d07d55a1775ef99e708f7

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        47654a8493fefb428f52abda6d74afa0

                                                        SHA1

                                                        74b971640afa857207ab0a0d2634188811d0c0a9

                                                        SHA256

                                                        563dea0cafcb0b533047f872ea3e6c7650d2a754831f6346aa1d9282e3d26b61

                                                        SHA512

                                                        b0b6f90dced5382b02be5fa7dbc0acd674ede43d4e23c87d663ba52a2800b3306edb7895cf6f9d73d373cb1dc89e878be681771e7249ece66fcffa25764187cc

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        8a71ebcae2f4958c7b1316379d647899

                                                        SHA1

                                                        b14bcebd07556b89c22d1848572fce72307a3f37

                                                        SHA256

                                                        97b2e636738b891e875c75fa94b44f7be5b1504acf216a9187127cc45bd73586

                                                        SHA512

                                                        6ef034aa3df95a98c0b25662d6ae2f3cc11438164bdcf36fc44f4b91066b79bbee15390235363e8f36592cb189b662c4a69b8e37f38429b1f71aba4599d92567

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        cc75d7f89ec50b1b30710b9df99b93ce

                                                        SHA1

                                                        5e7a310a415e5a731b2ae39203bfcea5b9a7f806

                                                        SHA256

                                                        d2dbd376f477913cdb3b768270bc2b5f803de6e0ef8382d6324e76550dd647a9

                                                        SHA512

                                                        ab8cecbd8e48de0c5e49561fadd242e0c5094fc8fa46ba76b08e3a3ac4fc96da8814ec8c40b89bb65576ae5d94f1d1cef69fe3c565df6d75d43dd22ceb2a4ef0

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        4cada96f2f2530384cd9d9ea099389b5

                                                        SHA1

                                                        845d7517b7676243cd0f46e0a58f4c7174a67f6a

                                                        SHA256

                                                        8dfb21fafe863caba77e1bbbb25de2cf6038bac7496009ff80fe726b21990847

                                                        SHA512

                                                        b96815fe84987bf3e9a56d51470b0e891bb35819b725633858fd57ab562004eff2b0f2a31e000cc014d3154e685cc9e53b8c766a637f706047404859764392a9

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        dc8b714c3cdb7ebb8821466d510a4f83

                                                        SHA1

                                                        e15ede3bb0fa1c9ff275accd641fd378a376bb8c

                                                        SHA256

                                                        9f4265e2678258e9f527d1a20dfd06705c2f494df00f329278c9ee6d122cea4c

                                                        SHA512

                                                        2caa00d23048b564236ff2ee65dbaa3a374d71ae9e804f6c9dd43b2d3104d2b7a13f4f49665a57fea36ed60f9d893ae1bdd1e4ba0e5bf561365b0a5b0248d31c

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        46f5eea86880bfc6bc71852be1b7a0fe

                                                        SHA1

                                                        4b824d2886f5c0734d683b16967e7101c85686f8

                                                        SHA256

                                                        578a0cea70e6524dab39695546f872d818a45371819726413b3d68d807d1e913

                                                        SHA512

                                                        689a943b8d188184366f4c0378ea13824b8989c5ee545eaf861e325ba3033136dab407c670b6826f1a72a8e72d4ecabd172d78d4c46cbacf11efcaa78e81d871

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        61ea5ee42951de8340d5c5859bf72e35

                                                        SHA1

                                                        6e19f9256bb476d8ebc3af479060bc4f2c198921

                                                        SHA256

                                                        c76feb2330c1f12274e516e1954727e200404ee67e8e3d9b75e6fe8e5cd6b2a1

                                                        SHA512

                                                        57ee5c4dc1955a172ff4f36e0af241d96e295e00e902245b5de06f31708d1a40c0e5467cc75e064c74ec262c931fe5ca54901b1e4d155a5217296fd42eea9ed5

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                        Filesize

                                                        342B

                                                        MD5

                                                        c74ea9a31c44d1ed2fbef985724b1564

                                                        SHA1

                                                        36d3e584f7b33a1f7fcbf38590d85e00db06d099

                                                        SHA256

                                                        84fab8c8d2d1f33b2e0b137010a1756c4adf51ad512f3c65201cb549f1b6970f

                                                        SHA512

                                                        4d4fc13e2785e1209f3928c8479ba9362b8cd198df1b0384eda0d3a6be05079828c9208d9e092358c5f669f10314c1448e92d91f1909ceb6f16b058e73e3d648

                                                      • C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        c29658f77cf4c9a90c8386f44e134043

                                                        SHA1

                                                        31448b35337beec91241fb2dffa450ff24ae98c0

                                                        SHA256

                                                        cafcc0762edcb04f3050e857c1d4f07ae150a68fdc7e864bb3f50786a2b805de

                                                        SHA512

                                                        c76bd80d4db1be4f654ea48f588b91ed008ae4c1c7cc98a82208d236639c6926c7a6c00b1fe4a1eb7dba9a3431b8fa1e07b0ea6213b56f7bb9ba51da42f6b567

                                                      • C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        28ce71b4715cd8f1be0a6942690d06f9

                                                        SHA1

                                                        2513b8925d78e53ebafa8b9c305f8a996d1cd4cc

                                                        SHA256

                                                        4b8d3a2e063a44935a5f8ecdec8d2de22cea8c5458ecf8c155916b4bba2ab7b2

                                                        SHA512

                                                        354fddb5c290b4c6dc39b79d53ee52abe915672993cac00f2aa0fdb22fd298d9b368756d6d0e8151c688d3704082fe3339b9a6666bb2f81d2e299dbe4fc86eb3

                                                      • C:\Users\Admin\AppData\Local\Temp\Cab5EF4.tmp

                                                        Filesize

                                                        70KB

                                                        MD5

                                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                                        SHA1

                                                        1723be06719828dda65ad804298d0431f6aff976

                                                        SHA256

                                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                        SHA512

                                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                      • C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        d524cc415175928398a6e342ea6bf986

                                                        SHA1

                                                        48875f684c655bbd45d885f482cdcde1b412d2c3

                                                        SHA256

                                                        cecd87a77dabd38216695b67ebae4ec3bc3d4f77cf2ac3ecdfefc169de71a15e

                                                        SHA512

                                                        edfeac2b4cdae37847ad326d364e9a0039c94778371537d6f2f7a2af854b52819e133a9bac9a46739cb9c64173dca6bf2012562fb1fc9b3b14a496287bc514b0

                                                      • C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        617a257eeffb794f24bcc0289bb18721

                                                        SHA1

                                                        e6ab3580e863e2ad680f6018efe189d2d4dd1d66

                                                        SHA256

                                                        73476f563577581655fae373fedcc260428f3820bf0e439053cecde2f3fc2968

                                                        SHA512

                                                        c1332aa48c7056ea34ee8f70dda9aedb42cdb34cd7ae4f9ef839dcd92839b96aca93718183434267a9f2f5285d0496ddee1764a21bbdd8d1585c3a681ee258f0

                                                      • C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        10fce3327ccc45097f0d82e4b7d6ac39

                                                        SHA1

                                                        d538508dd88535e176d4156f947c692969c28c81

                                                        SHA256

                                                        ab8054c73503e2fcf2f5d8477da117886a2556b98a3dbf8f024f9997fadca8d7

                                                        SHA512

                                                        1d27d6b083dce8e1b13505fbaceabe62f52f4c26d1dd4a90a475e8d685bdab7f56a747490a0a9eb28cde22f9aa81c5bc0b0dd005817d56b65ed881589f6e1623

                                                      • C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        1c9ce1144777c4b5c4e2a3b6f1f67e70

                                                        SHA1

                                                        81430a656b4b542989705fdcc44da3d9670a9fd4

                                                        SHA256

                                                        f15e295c8d06b8bad7575df8342e66b10d003600078bf35f01161ade93daa972

                                                        SHA512

                                                        a90b1f437480c15434009ebd149f2100b34749bc589188b8d69d6efa8d810fa79cc763c88b946ecb99b574f6b48eb26bb127f0e97abc62ddf506f9b0710283fb

                                                      • C:\Users\Admin\AppData\Local\Temp\Tar5F06.tmp

                                                        Filesize

                                                        181KB

                                                        MD5

                                                        4ea6026cf93ec6338144661bf1202cd1

                                                        SHA1

                                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                                        SHA256

                                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                        SHA512

                                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                      • C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        98af29fab26806fbbe82f375a164ef86

                                                        SHA1

                                                        5eaa9bb1a72768ecee367a71189344cec2b7be97

                                                        SHA256

                                                        197598a944d1ed1cc1926ec2c0226abc70853d8e7e5fe0a096fee387bab289fb

                                                        SHA512

                                                        76b4742bcf3817a373465514192cd7e109d0616c3841aa48af484b56c8accd1c300823330f71a929e6e1a2b914e6ad6e7910b2a703414dad29bdca93c1ef1ee0

                                                      • C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        b548a44a1bf5c7b5916b4d069da0184f

                                                        SHA1

                                                        4065267d7046352497ed4ac87a00a1cfd8769197

                                                        SHA256

                                                        78eacfb90de18b4ad0cadff72243e981b2f9aea2752b799e4cff3d0149e11f8c

                                                        SHA512

                                                        f7f0f078940e695aaa071aef0f59e3a59bcbaaa01afdb3c2d54581c04f41d6b340d6de9bba61483c55835578a70c305f276aeed9b193d0bf48bd7431123eff3b

                                                      • C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        3694d19fae04894cc44849d5dd5298a6

                                                        SHA1

                                                        85f647105984bf9cac0b279052b00e5ba380a7fb

                                                        SHA256

                                                        12533a9ee649e8cf3e5b84ad79eab0addcebe53dc0fe85a38e53d2ca54e33771

                                                        SHA512

                                                        88501706dabd2646df9219c90f9730046f5e16540ba999acdcb81eed373440911056f3fcfcaa7d85bd2770061ff5f4ade94ba56371f98aa6c9c465d870c926d7

                                                      • C:\Users\Admin\AppData\Local\Temp\oiLsI5McyI.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        16d3cdf819fb382f6c683381076724f8

                                                        SHA1

                                                        9f47aae25e4ed10d823f92c1b0779c23de0415da

                                                        SHA256

                                                        56892492b289b0a3237d54cfdccf4f142e077b8eaf4e8560ce0e9cc34a755de8

                                                        SHA512

                                                        86ac754c78b07e79b2bf2ef1e8d5d2575c3783eb19f023fa8569c5eb80c3b71b34e41e53adb50c4d89cdd4f1a1595a13ec4f1ab2bbf598a952fb69eaf2aec011

                                                      • C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        02b1b942132f258a8009c011fd791dcd

                                                        SHA1

                                                        24383b36a1598d420aa90a197b653104950e1303

                                                        SHA256

                                                        830280d38ee2ba72e77cb2f53fd73b7117b9cd008f6e04c3b9920563199ce248

                                                        SHA512

                                                        ccf1177d6d5d82727dee2718014f9055f151e9aa91b47975f1fa5c9c9c6e9c1a8770cf4cbdae84b5581413bd1c18153e8e6add1e0c1356a2bdd9a83ccbd4f07f

                                                      • C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        affd190a4bb81353cdb1c5806cc384d0

                                                        SHA1

                                                        cc6dea4abb949196b18778e08abae6aee970639c

                                                        SHA256

                                                        6a29dcbac2b4cb31acbaa9ba369667c0f5e1ad4afbbbf5db2662789acd96e70f

                                                        SHA512

                                                        cdae6ddcd8e5d9e7bb3b0df19f788c98301e1abe8f82ceefd86a55712042bf10dab9deb4eea44512ae41b7f534ce460da81ad384220a69bb2bd78d055e05e789

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        84c43e122c93dd25ec69d138c0fa5605

                                                        SHA1

                                                        56d44cf56a7efa1dc8cd4d4eea11c85f2441a88d

                                                        SHA256

                                                        1df1215850a195be32d0c76ac2df5eab071a08b5e408bc5fabad89f191a292c9

                                                        SHA512

                                                        1047f54c9218020fff38990f8a54ca8b14ddb9387060250fd5d1701ff8f2c8b191a06620195ee40a733cecd2f8e4c92cbc4fb9f6f52e8f999fa90789db5bf07b

                                                      • C:\providercommon\1zu9dW.bat

                                                        Filesize

                                                        36B

                                                        MD5

                                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                                        SHA1

                                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                        SHA256

                                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                        SHA512

                                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                      • C:\providercommon\DllCommonsvc.exe

                                                        Filesize

                                                        1.0MB

                                                        MD5

                                                        bd31e94b4143c4ce49c17d3af46bcad0

                                                        SHA1

                                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                        SHA256

                                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                        SHA512

                                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                        Filesize

                                                        197B

                                                        MD5

                                                        8088241160261560a02c84025d107592

                                                        SHA1

                                                        083121f7027557570994c9fc211df61730455bb5

                                                        SHA256

                                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                        SHA512

                                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                      • memory/632-123-0x0000000000E10000-0x0000000000F20000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/888-182-0x0000000000260000-0x0000000000370000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1976-37-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/1976-43-0x00000000023D0000-0x00000000023D8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/1992-781-0x0000000000360000-0x0000000000470000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2060-422-0x0000000000250000-0x0000000000262000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2084-721-0x00000000000F0000-0x0000000000200000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2188-542-0x0000000000250000-0x0000000000262000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2448-482-0x0000000000680000-0x0000000000692000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2568-89-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2568-84-0x000000001B760000-0x000000001BA42000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2740-303-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2740-302-0x00000000012F0000-0x0000000001400000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2772-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/2772-16-0x0000000000250000-0x000000000025C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/2772-15-0x0000000000260000-0x000000000026C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/2772-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2772-13-0x0000000000F30000-0x0000000001040000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2820-242-0x0000000000920000-0x0000000000A30000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/3000-661-0x0000000000450000-0x0000000000462000-memory.dmp

                                                        Filesize

                                                        72KB