Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:30

General

  • Target

    JaffaCakes118_190379c3d91cd902ec05870e16957002be76ff591b0a41e2318f1d43d52c2984.exe

  • Size

    1.3MB

  • MD5

    5de03683cf08f309f51aa3e7568de049

  • SHA1

    7cee54a2f9f4b58825d186458ddb5b1311ff62f4

  • SHA256

    190379c3d91cd902ec05870e16957002be76ff591b0a41e2318f1d43d52c2984

  • SHA512

    3c27323ac236f180418993b718f57b84af2f690b82678089c2597e3a5f3669d3d18ae37bf030db0c5a88c6b9afd817c3afcce7041e596107bbe335cafe1799dd

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_190379c3d91cd902ec05870e16957002be76ff591b0a41e2318f1d43d52c2984.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_190379c3d91cd902ec05870e16957002be76ff591b0a41e2318f1d43d52c2984.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zLBqcxImeX.bat"
            5⤵
              PID:2148
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2588
                • C:\providercommon\spoolsv.exe
                  "C:\providercommon\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2564
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
                    7⤵
                      PID:1864
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:2008
                        • C:\providercommon\spoolsv.exe
                          "C:\providercommon\spoolsv.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2560
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
                            9⤵
                              PID:680
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2688
                                • C:\providercommon\spoolsv.exe
                                  "C:\providercommon\spoolsv.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1988
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
                                    11⤵
                                      PID:2184
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:3060
                                        • C:\providercommon\spoolsv.exe
                                          "C:\providercommon\spoolsv.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2368
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"
                                            13⤵
                                              PID:2016
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:2004
                                                • C:\providercommon\spoolsv.exe
                                                  "C:\providercommon\spoolsv.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2320
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
                                                    15⤵
                                                      PID:2472
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2616
                                                        • C:\providercommon\spoolsv.exe
                                                          "C:\providercommon\spoolsv.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2972
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
                                                            17⤵
                                                              PID:856
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:1464
                                                                • C:\providercommon\spoolsv.exe
                                                                  "C:\providercommon\spoolsv.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1988
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
                                                                    19⤵
                                                                      PID:2412
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:768
                                                                        • C:\providercommon\spoolsv.exe
                                                                          "C:\providercommon\spoolsv.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2368
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
                                                                            21⤵
                                                                              PID:2736
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:1604
                                                                                • C:\providercommon\spoolsv.exe
                                                                                  "C:\providercommon\spoolsv.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2296
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
                                                                                    23⤵
                                                                                      PID:1580
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:952
                                                                                        • C:\providercommon\spoolsv.exe
                                                                                          "C:\providercommon\spoolsv.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2256
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
                                                                                            25⤵
                                                                                              PID:1584
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                26⤵
                                                                                                  PID:1204
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2736
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1348
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2644
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2664
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2612
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2692
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2404
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2624
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:840
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2852
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2352
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2848
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2720
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3004
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2856
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2680
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2000
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1964
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1764
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2172
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\tracing\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1940
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2380
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1868
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2140
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:340
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2248
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:708
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2504
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1068
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1300
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1088
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1712
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1556
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:276
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1368
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:616
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2276
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2964
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2060
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:284
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1616
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1688
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:880
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2412
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2204
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1588
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\en-US\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2316
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2328
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1748
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:264
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:580
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2896

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      9b65242bf9e7b1ab84d5282b06e3fc1b

                                                      SHA1

                                                      fb5b8eda425add4a58fb743e97ee31e863036f20

                                                      SHA256

                                                      45af09798cc922d2ca233a76cbcaa09c2c15e8f9ab6c85338f54575c685d9901

                                                      SHA512

                                                      7a32fed012e16833cd0ee78f99119936236ef38090d645932afaaabcf176703e2a197143801bf0c281c216c61be9545255195c75f1816cf68edd078afabb0103

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      dfcdbe6e339bce5c621e5432ae290ad3

                                                      SHA1

                                                      2d82c810e1098eab000aaf2638a89dbb763f9fca

                                                      SHA256

                                                      aa457a2e43db40e314cea8d62e8000d3b135d854e683d0d1d85ddef72792db5d

                                                      SHA512

                                                      18ee97c239ff2334c202d526dc8e518b8f21941b40e6521fee154ff0ab1c3fe50af9e8c53ba029ca3226c318fba4bd4bdea71e7ca0ba2e84381439701a80294c

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      faa72ea832d4bd99a800b0e1ec0ddaac

                                                      SHA1

                                                      02eaaba946badde27cd9b2519a1bfb510bfca156

                                                      SHA256

                                                      b771bf84b16507f789a40be04d2027a3586e90b403c44fe17ff7af2ad84ca4bc

                                                      SHA512

                                                      9da2deef8ad8d084892d1e4c31bb5be2f75e7b3a455efc11dcc2d20dd22dc0efe48c92bbc94498fe5b70d99eb36a7804cda34ac44eb1a311e7d188e84459e802

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      03662c407ee71615ce99d9ab13681ed9

                                                      SHA1

                                                      00a72e50adf0308f7e12dcd1c8250d15be163575

                                                      SHA256

                                                      57b2e7d89d4a4022618b4bfed1b91e255bb9a4f6747f2d8597c9c938ee4632b7

                                                      SHA512

                                                      96ccd6b9fbd9d1a0233839436bfb17e685222782ae60ae78920ee5472652795763ac47c738a8b52c77ea33757e0d1fcae09d4531bc428f42e6b6832436d525c9

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      447413cf6cf2aadaf990d990d4d62457

                                                      SHA1

                                                      7eba7b0503f9424672e08a30e085ff6077eff217

                                                      SHA256

                                                      240dda9f5b74dd310e04d59fea53d4f21d96b5999f7564fbeff0dae085e39f4c

                                                      SHA512

                                                      59503b5f8f4b5b76767e077bd508b20c35da5f0e3d7b38597751a4baaba365143fc56290222056cd3815a229a9efb7bf18bfb2251e547187e98129cca020328c

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      9eab0e473dc2ad6b0b83167a3c3192c9

                                                      SHA1

                                                      9c3d9ce62b1ab81f25ce6fb035d2094393934c6b

                                                      SHA256

                                                      4379b94d7f111df28488ba0ce34d197a3b0af713b9083bb7ac172b557f813352

                                                      SHA512

                                                      beefb2aa4995c17677562b7a16edd267e5eec606bc4649e77af5f390a71b506f5d822361f47b64b1a93fe2ac11130143d3abfb37cee8cbfa8889019c08194451

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      4eff39c39f3c120f1ee7218ffe455674

                                                      SHA1

                                                      2e43d8071782f63d5879f94fef713b07cd658eeb

                                                      SHA256

                                                      a254a33cbd36726d975d6212d1d40f579c3b6ab8b22af45b5e8a2b2945252561

                                                      SHA512

                                                      9655550f9ca3d39830c2365af25bd39f8ec11ca99bca76c07e0646d03bf78873d26b8794c2128231e7213c6383a6baf4e8f577a49692080c6181b0051379dfdb

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      14bbe0fba16ced3928df63303953b876

                                                      SHA1

                                                      65f27c04c5f5638d26ce5333e440be60d527e9e6

                                                      SHA256

                                                      360e0a7b08eaa00e67fc8c35adfbb6ab215077280b6d805a060bd556af66e771

                                                      SHA512

                                                      74abb401bd73e2063d1fbc652cb256baa841661a8534320f6ed14fad5e8205fcc00b1e0e61213812771a3dc206c6d3829a7524651ad5a769b792f49d83fccd70

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      88555a3a4a24049c3dd7b164d2499c94

                                                      SHA1

                                                      3ddb8df4be94c84a6ef5cd418102c9c2a2a2cbf2

                                                      SHA256

                                                      3e12f8fbcb5e7e4f80a2dd6c7ad43881c0ddae599f8c263c8e049f55b16afeea

                                                      SHA512

                                                      243cf54beb31fd5e73288f69180e0360275689fabbf5e2b9d7861f5339f751715876cf469002eb79665ec629c0bd24e08ce4e6e01f8c805ce777b8e6963b924b

                                                    • C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      a3b53f3a13ddf28a403b764af0e8e3c5

                                                      SHA1

                                                      5a8586c9f6a381f986494e5a0bc952f94ff63e1f

                                                      SHA256

                                                      fe22f71a20555b8e812ed69faa8d484057d2c1295bab002684fe1861e6126d78

                                                      SHA512

                                                      0b274db985524b73f4c0bf2a59f9f150ae9a3fca274c5ccf4d6c39c5753334fcafc0cbc149574c83af32699d28959cfec4f3ce7121b11af5f4e4f004c13d734d

                                                    • C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      7d6fd70ae70f0f4d1f94dcce58058834

                                                      SHA1

                                                      803519d57f941a902f4e0e519b45dd9512793bb4

                                                      SHA256

                                                      23e90d94a9d726d1039d7d9f6f2f0e0a3e2bd3847c789a2df2c0e2d7045dcfcd

                                                      SHA512

                                                      c3a88f318d59eb91fd2bf9e633f3f81aeacf70b4b863efe6fc50fbf5b00106a71b4cb5d733ed6f450b7663f06162d623a563d2091b28d0b800a2026cbd8fbd91

                                                    • C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      3d8ff81d130b276643e6558faa07c448

                                                      SHA1

                                                      165e2817d119fdba9f700527eeb314d03b4b629f

                                                      SHA256

                                                      3bcdb21156b92faafd0d5d17253c731aa8997b6b00614f0420dbda11cd655ec2

                                                      SHA512

                                                      3fd19c2ba2c8ef613ac8b6f4dd7dd070578a2a7f9be183e7ec96c1a8628b13c44458d2e12a97cc74b2ad3b97b05687c6875915729931186d13e91675bcaaaabb

                                                    • C:\Users\Admin\AppData\Local\Temp\CabFBEE.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      a522fb725c1794efc6c0ceb57f9c93d8

                                                      SHA1

                                                      1b654af93990c018f30545537d7e3866ce8792fd

                                                      SHA256

                                                      69cca8c94539a4ba0c3175e08dc8bc3db4eddb3f9571bbe2ae9a8e1f5bdce6e5

                                                      SHA512

                                                      3fbc1084bfed688c26ea4dacbd9cf7330ed6b46ea029159b570c219dddb8f04064d862065027479126bc0d338fcde75d65738b30050222251b61d4ff30df9485

                                                    • C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      7dd00e66241426450b56f1f115ceb80e

                                                      SHA1

                                                      98639aed96f54eac569e89a9c6f6286d9a18d4d6

                                                      SHA256

                                                      60605d1ab886e82cc1c7705da9d448cca3f4acb08370f6d38d061c28015716be

                                                      SHA512

                                                      0de20b247eeffc29c61f2ec8fb1184276c6f5d0863bfdf77be6c689447cf81873f15388b5d45077b455d2c15829b51c2800035c695337e064c39eea90eef7895

                                                    • C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      1e4d258196fe15c2ac574884788c70f8

                                                      SHA1

                                                      373962f06c609ea3377271dab916ba6b688e261e

                                                      SHA256

                                                      2127fdbc1010d508873ed119ad0c27ffd45111865ecce6a3330faa3969fbd550

                                                      SHA512

                                                      199b9935bccb451605bab6e43ea6980ac9b8a9388ec7b536983d6d822c68af71ddc7caac4893a85b95fadda5c7de91d61b35fc6ae5389963ce82ff098d12ab37

                                                    • C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      e92f66cca078e6ea16bbda2cabee886f

                                                      SHA1

                                                      e3abbffc08cab1506abb173f8de206a43b498804

                                                      SHA256

                                                      527b2b4129d970795fb5719c207b8294fc7533ec56b48d2c4fd71ceb57beff47

                                                      SHA512

                                                      9fa527a8ed4bef816d0d703f85d7a121712280363f492c398bdfc3bed24fa531a381304a0b17a1d442dbb8e9cb9ad025109790a5370d8491e51de157888f6f4e

                                                    • C:\Users\Admin\AppData\Local\Temp\TarFC10.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      f29571e1faac13724ab17648b1931368

                                                      SHA1

                                                      02f14752c4874db284ad3c13eb67b4e9f42a679e

                                                      SHA256

                                                      d0ab16dd5ae28b8a8fac68c953b173db8cca6790f6e31be7c32c1d62d2f186bf

                                                      SHA512

                                                      d9117e61aeacf81137859216776f61d763a73e8a17f3d2e688aaf86960a9146b926b75c415a05e333d2d7f9cf0d7ca48ed278be36a33ddc84b7a95dda6c911d1

                                                    • C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      a4ac49f07e6fa92ff9e61b65e4830f87

                                                      SHA1

                                                      55d14c86aaba655b3ae2e778aa2567b15baeae8c

                                                      SHA256

                                                      b7b2a6841e4dd7e96de8da18ba727b29fcdba010cd047bfcef106f4b6b6570f3

                                                      SHA512

                                                      273b5778c08c835c6e16c8ef64916b14c1e35be965bc91a386f78492095dd48f13bb092e52fc8313c21f16dbf8ba17b2a0f803dbafdf618cc49dd62c73dc5716

                                                    • C:\Users\Admin\AppData\Local\Temp\zLBqcxImeX.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      2cc1439d0dfbf763c0048ce7d4c2ebee

                                                      SHA1

                                                      dac10a67f3d8fae4251f2af665aaede1bd8d02ff

                                                      SHA256

                                                      b9733ed29a4193a9275ba14cb5f6d93c35c17ce8c029a67f38ac981220fdb53c

                                                      SHA512

                                                      ca554e887856eebb40cc69229b6511f1e6731d825263328011829c686a4f94d4ea19dc70ed513a327e1e7040ffc6120e3870b6225e676cb37b63d1a375efb4ca

                                                    • C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

                                                      Filesize

                                                      194B

                                                      MD5

                                                      8469a393d97a9c4fd20a888cab279755

                                                      SHA1

                                                      11b9568303db176e824b6efb672c1f28babd0732

                                                      SHA256

                                                      722a7e61ec2548f18528e6a250febefc8d330cb3b7782c1e3bbb4b841bed8702

                                                      SHA512

                                                      6dbac03fd651933393112a0c54ec544318a5b74508b2a7a8c79acceda624bee134e0872b9646dea24748270520dc93598a2e9d80d4613b4a559c7b5c9088174f

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      52baa08895c2bb8e09ff6fb99e433861

                                                      SHA1

                                                      f75408c130c8057de7a9e970a0edf6fe082a86fe

                                                      SHA256

                                                      2136b34bd1de7b563d4486009340cff4d99b67e206379d9e8261b54e9023d480

                                                      SHA512

                                                      48750699a584db413dc81f2e26d51793c552447c179f917a02048c09208265ebf3360c2f5d8d1dbc1d9332e1abb275cf9c5333b09bf9397fbf6c4319bb97e656

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • memory/1988-281-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/1988-280-0x0000000000150000-0x0000000000260000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2256-699-0x0000000001250000-0x0000000001360000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2368-580-0x0000000001190000-0x00000000012A0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2368-341-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2560-220-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2564-161-0x0000000000E20000-0x0000000000F30000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2712-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2712-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2712-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2712-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2712-13-0x0000000001260000-0x0000000001370000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2800-70-0x000000001B510000-0x000000001B7F2000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/2912-72-0x0000000002290000-0x0000000002298000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2972-461-0x0000000000350000-0x0000000000362000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2972-460-0x0000000000B70000-0x0000000000C80000-memory.dmp

                                                      Filesize

                                                      1.1MB