Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:27

General

  • Target

    JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe

  • Size

    1.3MB

  • MD5

    38d39854f8a1e1c7ef7db77aed9b1207

  • SHA1

    4199a20f478c8e09de4356d125c0b86e7cfbfbf9

  • SHA256

    8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b

  • SHA512

    300c3bca2e2b5d623f7ef50c00c4818e0343c85463e203d8713a2a5bbc309f8c2a697fd45c62b50d86d77c2cdd48cda3984233536c58078807a200ffa9d58253

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\de-DE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\it-IT\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1048
          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
            "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
              6⤵
                PID:1792
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2708
                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1940
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
                      8⤵
                        PID:1996
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1732
                          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                            "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1980
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
                              10⤵
                                PID:2568
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2432
                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2784
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
                                      12⤵
                                        PID:3028
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2036
                                          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                            "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2440
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
                                              14⤵
                                                PID:1656
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1956
                                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2952
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
                                                      16⤵
                                                        PID:1416
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1688
                                                          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                            "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2584
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
                                                              18⤵
                                                                PID:2300
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:772
                                                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1604
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
                                                                      20⤵
                                                                        PID:2072
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:2240
                                                                          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                                            "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:872
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
                                                                              22⤵
                                                                                PID:2648
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2776
                                                                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                                                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2272
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
                                                                                      24⤵
                                                                                        PID:2844
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2660
                                                                                          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                                                            "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1812
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2872
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2260
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2168
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3000
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ShellNew\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2976
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1988
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1984
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2140
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:284
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1296
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\de-DE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\de-DE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1068
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Videos\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1540
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1332
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1340
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2348
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2836
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  79de03486e1a75616867fd60d1a639ba

                                                  SHA1

                                                  4bd54abfcb2d5bde05523f3cebd1f7aaea104f41

                                                  SHA256

                                                  98e5aa0150896a83dfbe68bb26f17e4db001bcb990f1512a0812c72c1405193a

                                                  SHA512

                                                  0fe141a0308c946e2c17dd79b54e1f03b17eeec92fb4433deab49d0a0fa59c8fa72b8749f7c33566fea9553304b592cc6af06bbbf033a79c619ab9ae6c42fa99

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  2f6ca680147ae2896b4ca5150b470c83

                                                  SHA1

                                                  e013636bb053e2af376d29045edd1c68f2569593

                                                  SHA256

                                                  43d05478fc16ac922fbf9e29cf3cc46855be50cb614e15f0c56589e3c829a071

                                                  SHA512

                                                  3d2fd3e0e8f0613a31e6d070850b9fda3375aa2d53fca54efec1009e493e5f941ec58ba5839d81710ecc95bd0f536c0b0c475537a3136537933444757f022dea

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  edbc2b2671ad6c5ed5053ffc183a3ebc

                                                  SHA1

                                                  b7e69d63362ff3dfd8c1096c27e7bb869aa640ed

                                                  SHA256

                                                  af5d5962a89c4594068ad1a7f5ccf26b5f4bb9b16432fb6556a3c7845f3572a6

                                                  SHA512

                                                  4f3597c13c183fb2d0c2447e31ec9b7c57b18f2850f3c02cb84566c5c8476a016453ec26c5ea2e98b48b32b01417bf017fce0bc4ac0fba7be46dd5b8bc094793

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  6db5261b0261ebd6096dbddf9b2167cd

                                                  SHA1

                                                  08e40e50ba72b10782d8aa7f6322f074c7c4e5de

                                                  SHA256

                                                  493e10cc3a6f24a59c242922715942676f68c5329efd870974fa8b70d7128a25

                                                  SHA512

                                                  cdfa8eb0fa5d7e3470d37b443eba02fa872e4fbc8e7ea3096ddd2db7f1fb21fabf667f181581cf638c9884944003c18114c04f9a751d9a6e5db4b9ab6d3e6092

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  ded3489c989f5c1a9cab47849320ee8d

                                                  SHA1

                                                  3c0ae25840b8f81579121ba422ff880fdb73f5af

                                                  SHA256

                                                  22b6e90b0633f072cd1dbe20492beeb3c3116c3f627578bfeded5e46c5492c4f

                                                  SHA512

                                                  b80f83d7d69a296eeef24ee01d39e1248e9eebfaf2e62d33ebfca441457f1f268572530a21f1a52017e5db0f4f9d1be2b8001d2abb96c82e581bfc9b80265d88

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  5d966fa55296ec8a86399015c9fe7203

                                                  SHA1

                                                  27765ee53322912cc564fe583fbb006584f1a1a9

                                                  SHA256

                                                  3b9a1b9e5badbff414bdfd9796095dd28348fbbc38e76510bb944139d58454fc

                                                  SHA512

                                                  c7b277ebd4fc90af18a947872f4cd2f68f74ec1bb8f20d8208575b90a35fca6708645c928652864e7fedfbe22b45f5cc5ace03f04fd40e7dc7659aa577e80459

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  17b7d4e6664aaf221100c9434c94572b

                                                  SHA1

                                                  23ddaf74b5d1531545200b98ee7a977942a1a253

                                                  SHA256

                                                  758868ae3b829e59c8ab8a08943b0707891d16a00313be5f524c044b496463f4

                                                  SHA512

                                                  40dfd915513256749e096235c6fc6cb6cedb95346442535cd97cb7d39c5b1a8d36a7b7208eba94079ccc6593f46be0e04e449c193489cf6f52261136921f5894

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  f28c5d06b8998fec96514d7ab44077ec

                                                  SHA1

                                                  a3c03f3ed3d8e1553b754118e1a44e4b933dc42a

                                                  SHA256

                                                  8d24f6f2c1674df3a9ccac1f391c92a98898cc0c1f82675ae7cc4642b57cf744

                                                  SHA512

                                                  b0bb6af96320133ec65edfd2a0cb146777147c09dc3041469061496f259b7b4e7f5c884093ff30efdc3f83a7d5745f44caca4cfa49f295b2b206745bbf513ff4

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  5cae9b5f81c3456f5d51e8a8b70b6294

                                                  SHA1

                                                  6a2ca5e36190e5c2860c4176bae8c1d82cc136ac

                                                  SHA256

                                                  862ad50dd93003a1f053c30473107398da4397d15fa70629bd61c21090c96251

                                                  SHA512

                                                  6f42cd43033ecd583d2e498c3e8ece47ba3d3f6838b99e067cb20f1a5957818904d31662266fc0f022778ae451a738649828724e65569a435e9c7d37bb026ed2

                                                • C:\Users\Admin\AppData\Local\Temp\Cab3BF9.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  dade97c2e88c02cdd8c652f488abedab

                                                  SHA1

                                                  987c076c02f1b91f06026c5783dbf17dd2ad9b66

                                                  SHA256

                                                  d70156be2eb43c591efba443b392d041feb2af7740997592fe68fe90b1487b9b

                                                  SHA512

                                                  60c8c14d526d360e24f2bcc8860b36e1e3f67613de34848628364cdd5d4457042484152cb3eef213d61372db5cc04adfce415f897db4041cafc75e9e7cd34f06

                                                • C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  6bd98f60e83851877b5359a86a3a0463

                                                  SHA1

                                                  d3211591e8b83f441c475a8064b597e87c8c65e8

                                                  SHA256

                                                  5f7246f1749f183105f949243f29fd2c187d85978f6fac21138ace390726efbb

                                                  SHA512

                                                  79c6ca16bc63457a0fa8422fd6fb0a3663edd5959e38360c4bb9d59ad77dfea9e4be28d49f2debab5a070c19a0b51a65eb457468d5ce735550b619e41810ef96

                                                • C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  df974a0c93b8ca3d634b37b62fdbabda

                                                  SHA1

                                                  7c7e1a4aa7e4796005d7530ca6280812fe88502e

                                                  SHA256

                                                  0252cd4315d706fe905401b15820bc5be19126318b4d263e066d2f1e95dd662e

                                                  SHA512

                                                  a526a3608be26ee8de574e650c9bf2be64dc56e7a186c4cc88926f5c4b750616684230fadb8b7ed67e5a170643d9a0c870a23b8cf00289ec1944732ca1e4140a

                                                • C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  191fd7a1c2e5a88220558a9cf73637c3

                                                  SHA1

                                                  bb2f56ca697d775ac2b34c3da70abd2c38e9c978

                                                  SHA256

                                                  0266dfb703022e6618121fa91e86be510455fca66fd76ca05f6ca61fd2b98013

                                                  SHA512

                                                  810e02e5fd6c9a44e7f68ba0c92ce75290fd834a988d4f4ac5529bd9a33c55d97d72a7e9e89a5166f6d8dc4b89128c5498e30e8b738010b04ec6eee8f91f7a3f

                                                • C:\Users\Admin\AppData\Local\Temp\Tar3C0C.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  30baa09907ed029b2e850669f181f0ee

                                                  SHA1

                                                  5f70949c67003992974ad3cbb9d725841875db93

                                                  SHA256

                                                  40bfa1a7d1b8bedc9f14f2c5564a1f5db2191f8830a4d04fa1d27699717f0425

                                                  SHA512

                                                  64a76b93aca19fadcd6524c27323eb6d890fca5dce95ebd10aa0d8f410fcfa9e2e43a018e7d1dd6022607eea81eb6330cc7bd49a9911ab43bea258c1f5df9add

                                                • C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  554afa2329b922e7ca9bde275c3894b5

                                                  SHA1

                                                  a0b1933f881f97e5d7d19e90bb492db42208c245

                                                  SHA256

                                                  d5b650952203bef4cb3fc55d44a713dcba7ef53de3abf4d625b5e3fab10293bc

                                                  SHA512

                                                  848432ab3a39c6017365bb13aa8619dfdcf0fe64875490a154b6ba54b8e7c0a29ffd82553d08b139da0005a36d647ba2ac41c576b5c992c72b9ad60e1df3307f

                                                • C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  38cbd264860873fae39648db5027ea96

                                                  SHA1

                                                  37ad91f874fa87e56e74ebe0ab3c28d282979925

                                                  SHA256

                                                  34b54101cfbd85af4d3e1180137b3a4a0b553e0692757a4058dac934a4bff33c

                                                  SHA512

                                                  79aad62a3f083f110ec0becf6f8103fb445a14370518c0125313b0bc8bfe399b9a55c16364fce8b139145b9674ff7002371feacd5bb9b8a6240c7195f77d47b7

                                                • C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  be330606dd9226d976751d2abf6f8452

                                                  SHA1

                                                  b7ff87500b8787456d43b5be4506a5b2f6775a44

                                                  SHA256

                                                  0d72617a390743a599b17bf7d1350d5fa8549332c209ce1ab6e89d36b88cee73

                                                  SHA512

                                                  09384fa193cc7a636bcdfa7edd4261641584ebd997851ce0aac3e6c9847a8c902953891337b0e1816d7cccd74dc4f5c62c4ce70af2a3b2da7b9dc28f0c7ed4d3

                                                • C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  9525e5540b2b74627d7337985971b671

                                                  SHA1

                                                  c4c9553b1106d47601e9bd742491ca1e6b1325de

                                                  SHA256

                                                  08cbd24c2982a22f960407bfcfa83949c21d830ab5d349507b207ade28d88d97

                                                  SHA512

                                                  32fa726b5cf35c9738c8a708cf8565469f21282cf83921d0a814e0b012a6cef4efe6ff29d47e989477ad6924f1f11ee849c13288a799effdf45506f7dc4460c1

                                                • C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat

                                                  Filesize

                                                  240B

                                                  MD5

                                                  82832e63c55b455a7b1a2d2de1b7f5d1

                                                  SHA1

                                                  fbee415321345ef4e1301ddf39aea08e713f6fdc

                                                  SHA256

                                                  956a5d74052471a098276c34f069ffd2cbb96025816022062275cf0e4626506f

                                                  SHA512

                                                  196ceeb1a5f4820de5c724b859867292fd62c9397f372490ca9ab3eb3b0de2848d407dc0fb9769eb7c43b5a91140507317998d4b5508f51bfb628a3b9862ad57

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07HSRL4KMJ5XNRPXLKZX.temp

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  4f1d56ece64362fdacd60c3df381364c

                                                  SHA1

                                                  eceeadc7527d055ea13999435d680e50f2109774

                                                  SHA256

                                                  e273d8abdfa87dffa696a01e728542e3c6ad5394b47014d338dee673afd40c25

                                                  SHA512

                                                  c9a7754374ee27f48c8922297cf8b4f27fc3a22f6795cb777398a65c46aa9d09fb1f073019dabb5ca3106f4e6c36487c63450e4c72672938e92635c602f1a0fa

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/872-617-0x0000000000C80000-0x0000000000D90000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/876-737-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1384-89-0x000000001B690000-0x000000001B972000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1604-557-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1940-197-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1980-257-0x0000000000310000-0x0000000000420000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2272-677-0x0000000000440000-0x0000000000452000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2440-377-0x00000000009F0000-0x0000000000B00000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2584-497-0x0000000001390000-0x00000000014A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2608-90-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2760-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2760-15-0x0000000000430000-0x000000000043C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2760-13-0x0000000000A60000-0x0000000000B70000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2760-16-0x0000000000420000-0x000000000042C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2760-17-0x0000000000440000-0x000000000044C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2784-317-0x0000000000860000-0x0000000000970000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2952-437-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2984-91-0x0000000000140000-0x0000000000152000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2984-58-0x0000000000300000-0x0000000000410000-memory.dmp

                                                  Filesize

                                                  1.1MB