Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 05:10

General

  • Target

    JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe

  • Size

    1.3MB

  • MD5

    89f236d35c0d2b0feba9e2dc1126b748

  • SHA1

    8468de36e821a4bdb1007b1666e282227d25d31e

  • SHA256

    17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416

  • SHA512

    81811b0596db8432a72a3867f5ce12e1c0c64426160a42bfcb74b888cee55094b6e853b9abdc34f48fbd281cafd89fe1bdb5ed21b8de55b132d4b1fc1cfae70a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2252
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4iSnXMBO8P.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2700
              • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2836
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3032
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2604
                    • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2600
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"
                        9⤵
                          PID:2508
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:668
                            • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                              "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:880
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
                                11⤵
                                  PID:2772
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:636
                                    • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2696
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
                                        13⤵
                                          PID:2992
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2060
                                            • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                              "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2872
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
                                                15⤵
                                                  PID:2728
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:3012
                                                    • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2524
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
                                                        17⤵
                                                          PID:2596
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:880
                                                            • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                              "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2768
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
                                                                19⤵
                                                                  PID:596
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2096
                                                                    • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                                      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3032
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
                                                                        21⤵
                                                                          PID:2872
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2556
                                                                            • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                                              "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2600
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
                                                                                23⤵
                                                                                  PID:904
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:1556
                                                                                    • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                                                      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2564
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
                                                                                        25⤵
                                                                                          PID:1752
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:480
                                                                                            • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                                                              "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2828
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
                                                                                                27⤵
                                                                                                  PID:1496
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    28⤵
                                                                                                      PID:2624
                                                                                                    • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
                                                                                                      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
                                                                                                      28⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2244
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3004
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2648
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2796
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2640
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2696
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2116
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2028
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:564
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1492
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2952
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1928
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2384
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2096
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:328
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1880
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2856
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1788
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1904
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:628
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2992
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2356
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2984
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2264
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2664
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1032
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2608
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2244
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:752
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:704
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1392
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1624
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1692
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1660

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      894344df3799da669f2abc7c8ae6ba59

                                                      SHA1

                                                      2608a14b85b922779ff99cf9ad6c14138a9026da

                                                      SHA256

                                                      f26621cb25d1642687f65ff9922a981a479685137329719310d784b75cd28d62

                                                      SHA512

                                                      2b1e2c7cfab54ccd2cae58f915209f2a679e657e92fadb9d2c5f87c4006ab0a04cec4fc711b31e02f830354f2e6a091ee6e3f90f93929471cd0b39964c00b4cd

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      9b8338f85868fcfac041951ad7c11f65

                                                      SHA1

                                                      e799ebcc108992323f0f4b4fcda7a178a667718f

                                                      SHA256

                                                      5781b75980472aefdb5fbd70ffe645f0d5a83f60bc6f44955d47d814f7cfec58

                                                      SHA512

                                                      ea2a2ca0e995ad19c33027be72df80f76296305bbb5deaaead8cdf6a3f58f33086ba84990f4e611cdd6787954a8b3720d2ac106487ed8b0421f602ea17235a3a

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      c712bb12079bdd952887513d0cec3e61

                                                      SHA1

                                                      ccc2edacbef9da29799e56b2397a508b4cc76cd0

                                                      SHA256

                                                      25a76853e13c415716b06310a95a8688a3b625eedfe07f881d6161e03c0c340f

                                                      SHA512

                                                      4a1624b0b880505ecd88e122b5cba91440873dd50104d207a76d60d8a127144dd31e7451961cf30df223e2392a3a77744746cd7b60198adc76c1d4c0146ad2c6

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      a635d9d7121a8f4ce14d82efadcbf98e

                                                      SHA1

                                                      726ab92a54431c4387cf52fcd6c02215925128a6

                                                      SHA256

                                                      6151af8bac7e86e7d30106bfed37d4b56c6f299ec32827d198029c10c3dbecfe

                                                      SHA512

                                                      99a0570b7e833686ec42d0ec96ffc5d1dbb2aa618c364389949ce568a1eb8a45462a02f168b72eade1ecec1d7f704c54222fa09334d3cb656d9afd3c31145766

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      703eea09f867582f1f6ed0ef08ef944e

                                                      SHA1

                                                      16c69518bd787a57da5c8a40082655a20004cff0

                                                      SHA256

                                                      bc49bc6d5501884c8b019a0b91cf66c45edb6d9c7c0c92ad3a6d61ef7583f3c5

                                                      SHA512

                                                      d031022c49f0e76a91a7978437b68da8df498afd8bb4890286dcc05d3982bca81b2e8eccb06e48f2792a73be069bdf926e47abea230ad7042a2f7142620f750d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      73429cd9beb3cae403cf3357dac46c6c

                                                      SHA1

                                                      d67c1d1dfafd23e74e3712e322e811123ce7302e

                                                      SHA256

                                                      12ed323fca984f65d54b3027efbfc273885e95e66eaaf70d2a69396fba717b12

                                                      SHA512

                                                      32fb19bc2b57bed9d0bfa9689bf1068e5615d0f092b06b2a746abd93532fa74d8b0cc3a401dbcfbd45a2e1fb86282f7fd741d64a813647ec8fbf6d799092fdca

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      f804430bbdbbeb953e80956cbccd94c0

                                                      SHA1

                                                      dfb2df8b2ec2e219a4f6f184621b56a0b6006e79

                                                      SHA256

                                                      a1b58f22c782ab427d2e54494d3ef294118d3797e45c0c93387c18768aa30877

                                                      SHA512

                                                      05cc27973451f4bc89ddb395794302a9cf51d9c23580ebee406b26043ad84917790f0c60b9ee67d2fb3f18f89a963e55dfa5e5fc965406d755303e8e070ceb9d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      40f70e0b7cbd2afb23d736bcaa996f9a

                                                      SHA1

                                                      34a9be68affaeb58e5642e96ca4696c7eb1d900e

                                                      SHA256

                                                      0c5fd2b9e9d9ea2727240116e10d7b9d228b1f944d85fd0350844919a3e2a8fc

                                                      SHA512

                                                      7398507d6a46ee7891006985759a496b3dd21059e90b7fbdfae25092001937f41a6caa59abf5d2abe35a073aafe2501893344073ac40b2bfd0b17313153b99ca

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      7f09b4216ce25126bd040c58edc509e0

                                                      SHA1

                                                      1f435eac26a93d445d6096f9db688f632ef1d224

                                                      SHA256

                                                      37c9b8b18a390e9f285b9b0775851f5458a9ad15562b5b0f1e505aa46de983fe

                                                      SHA512

                                                      1581903823ec2c30e99eb6bbdc52abc4b9ac01497dbc22cadc81716faf354fe54c063f0e1893eb8d921c26439faf2fff76bbcfa84044a018ab0746c1de9f5c20

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      c0ef2951288947f0dbfeab3ab3f7f716

                                                      SHA1

                                                      b7bd4e05569840fa492c5ef5ebae58630737da7f

                                                      SHA256

                                                      360f4fa856438f2cc7c8bc06c9d044df9f8b066a7fb4e6feb3072e8f0838bac8

                                                      SHA512

                                                      68e9aa6c76ffea4e8ca43d95fc6e636fcfee01b586f09e5a49840a6886023eef27fdc16176c8c8cfa8ed80f5ae171bc81cab8bcd0cc2535223b3c15555ae1b75

                                                    • C:\Users\Admin\AppData\Local\Temp\4iSnXMBO8P.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      7fac1377f2dc31dc3609c10d3698ea95

                                                      SHA1

                                                      bd3a2f717e47ff859c4ec6c0e5a5ae3e5d0419e9

                                                      SHA256

                                                      4dd6391d93709e6fe1a9f01a839c478ae5dcb969d0ad6b0e80ecddb4e9cd1013

                                                      SHA512

                                                      4736529641a17fb6a26aa32ffae8fa093007333c2116b653829a4f370d675eb260f35d8ffc435cfa046dc5d0eac08cc226b266a465f69b8a342b12a47fb2d7ad

                                                    • C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      3c576b40439eace0ce7c501a67e5dd8e

                                                      SHA1

                                                      0c0374f12ec1d238550e68f1f3772c10223abb74

                                                      SHA256

                                                      ef49ab8cbf0b9d170d256ce8538ecf2b4597c6afc48c35834a726528a6dd1e4b

                                                      SHA512

                                                      5f0ebda9544103d747321447a5f82662a4033f643a3d202a6645a226a7ca998a8f179f4d581d7c62417b5a5522ee4800ac13309468cb268665302ab6a5de88ad

                                                    • C:\Users\Admin\AppData\Local\Temp\Cab14A.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      5032dcd83f1e5f1d8bcf193cba303dc9

                                                      SHA1

                                                      793c812808c644f3cf72409a4e328d4d8e3c4c65

                                                      SHA256

                                                      967f59ca9354cf1eaf11e396ec2800b03a00259c598efa8258e98d439d035d0f

                                                      SHA512

                                                      f55486403622f648c718f94aab200a7bcf3897c3e831351e635b331071a25230d8822c5520b30132d54d180bf9a3ea77acc9282e49b6a960a605f86050b3fd5f

                                                    • C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      accac74011db9354a2d652f60b3e24e8

                                                      SHA1

                                                      3a56a016232bf0c9ad9363dd045284f56e16d776

                                                      SHA256

                                                      b10f505e29a90907d816b2e118b06cb7e5b784af3f42459a81d8364799467420

                                                      SHA512

                                                      07cd1833314a51fcaa0da6587d49a7101e2958a20c6e33f2676c8e8f3b9f42d98c0a18a38c4e263412bc85d389c05470f760eac002e0c10b03cb31db08768483

                                                    • C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      34cbd6b262aa89351e8942fb4531203c

                                                      SHA1

                                                      a2632b24dc088b29b6fa0f1db77ca4eb783a4420

                                                      SHA256

                                                      ec1eb7886bf48cc42a42437854f11dce7ed66293a2587c39499ac5e84f9f18b1

                                                      SHA512

                                                      5f21cb223a58b1d6cb94a9dc1d7e958234a7c99ddda7f5027f26dd7d22379a6a2e2b92bb91e69883b602378779ae27aa8a3f104d689b401cb45d2208b5a9d1e2

                                                    • C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      9f963a9b6cfe107a35181dda4c73278c

                                                      SHA1

                                                      e5b89bc359140efc37a738682cf748a13ba214d2

                                                      SHA256

                                                      455fec89f33e38c378239c09ce8123c6916a6157d092885f869fae5eaf4d38bb

                                                      SHA512

                                                      ec37342f05e49ca29bade7096c7c8087d33e99623eb445094d6c3e6e045156ddf665eb0e6d15c66e0e0f657d2068cb6afd5de9c59684121f96e61daedc65f9a1

                                                    • C:\Users\Admin\AppData\Local\Temp\Tar16D.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      718e53a6c860e1ab84488c5417c857f1

                                                      SHA1

                                                      b6567e3c40f7b8cedcb823e7d05c6d7d50c1ecdd

                                                      SHA256

                                                      860b1cd013f7b721ffbd190e74bc4cdc72121327309196c25eb2a8c0e80ccb1d

                                                      SHA512

                                                      1299463f618ce1c7b86572251b64fadee7f6a658bb081322a4e641c6302887e60ca0a12e6e51bf450fa49806abec32023a101219d82144b968aa99e2e90736e8

                                                    • C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      9d247180b19fefa85c7c19913bb4b10b

                                                      SHA1

                                                      3a99e7eef0f4b55f34cad9deb8926cd0224fe718

                                                      SHA256

                                                      1a93e8a8418614b4fffd8b34861edc60b4675f4ca2b763b106ffa084587d00c3

                                                      SHA512

                                                      df4f61132ae34665d5d160ad3c60f5a1267d98729bce6a460d9e8a7d438a81c026133d563cf13eb84d46db74255840a2eccc0f09cd3a1315b03675103426d2f6

                                                    • C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      3cadd7a3f4dbf26d81ff59a9c88b5e41

                                                      SHA1

                                                      baffeba343d9482761bff99daa8c2946c2afefc5

                                                      SHA256

                                                      3b393705520f8fc0e810b64fae9c2e5f7f6e9606f5180ef85e7c9dede0cccc5a

                                                      SHA512

                                                      42e68ea3d5c2b0905077d4f385124756516270d64369a75c48c49213320f751e984329e2c64893f8be42bd26b7ed04155e31b16d048d721239ffdb085f1dcb3a

                                                    • C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      692c682eeca51e2d3f37f531988bd038

                                                      SHA1

                                                      cce317898bc727e6296223a42c08a01dc438f514

                                                      SHA256

                                                      53916f9cc52cd39c13f8d3257d6d6e4a364d19c325640a732dd5f52a2e43bc77

                                                      SHA512

                                                      25448b7542bfab4d13e6f58dfcc6ebe1aab43d1957507ced49f66def942670d6b3bd964f714f440e44a117691118571ea18c5d98f74662be2c4b444c2772dfa1

                                                    • C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      778a4cbfa93ba7df36032fa63d82a3ae

                                                      SHA1

                                                      2d15f0a29b3dda31273112bf67c64b62f34e2732

                                                      SHA256

                                                      fc138dae9439171017593adf5937b7365366d1ae63c6dab5818153adb6c659f1

                                                      SHA512

                                                      077cca84acab34e05b7442b6535a415884e31830ee4c1517cd450f80f826418dd5959edcc76bbbdc41201bfcf9b36635fc0975ae0c923e862fc3d42aa32a8742

                                                    • C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

                                                      Filesize

                                                      240B

                                                      MD5

                                                      f92d98d58925e6c394deb2e19c3b4595

                                                      SHA1

                                                      8c2929b985c1bfdf755ce42ea37262527205a264

                                                      SHA256

                                                      73773da3958a840ff526b1e26838bfa1417f1275aa53e54ad8164a935b3bbfe9

                                                      SHA512

                                                      90a5cca3e72d9c4f39eae6cb7f0aa1b8bc57a018eadd852025a4f8cceb6b0e43c58aae159ba405e2cba841d9ffb615a2243ba5561ac8e3aac76f63be89f03c78

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RJY8BPSGI4WC7HE2Q5LM.temp

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      b164ae815a35daa19468451ae951e2e4

                                                      SHA1

                                                      e249897a9962623a3a561764bf6cf5ac0883a353

                                                      SHA256

                                                      50670d9d8b12e5b1883a4ac69cc714b62112fff0ab745842d1ea077f198b47ae

                                                      SHA512

                                                      658e1007a6241e062b7858c09e70b4e2880d8eaccecd93d1f6594c8d5d5ce7e9071176daa8fba8960b59df4e03b97c3e1fa2d9e79a154e8e0382bc512561e747

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • \providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • memory/884-50-0x000000001B690000-0x000000001B972000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/884-51-0x0000000002070000-0x0000000002078000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2524-415-0x0000000000140000-0x0000000000250000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2564-655-0x0000000000F80000-0x0000000001090000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2600-595-0x00000000002C0000-0x00000000003D0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2600-175-0x0000000000DF0000-0x0000000000F00000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2696-294-0x0000000000010000-0x0000000000120000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2768-13-0x0000000000330000-0x0000000000440000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2768-14-0x0000000000620000-0x0000000000632000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2768-16-0x0000000000640000-0x000000000064C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2768-17-0x0000000000660000-0x000000000066C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2768-15-0x0000000000650000-0x000000000065C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2768-475-0x0000000001030000-0x0000000001140000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2828-715-0x0000000001180000-0x0000000001290000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2836-116-0x0000000000340000-0x0000000000352000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2836-115-0x0000000000D90000-0x0000000000EA0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2872-355-0x0000000000150000-0x0000000000162000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2872-354-0x0000000000D50000-0x0000000000E60000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/3032-535-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                      Filesize

                                                      72KB