Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:34

General

  • Target

    JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe

  • Size

    1.3MB

  • MD5

    2566e9a0059f9fac9e4e999937f0d94f

  • SHA1

    418d6ffcffd6eb1ba7b6966ca5437ebc3c4615a0

  • SHA256

    19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415

  • SHA512

    6dfd6f0a0aa78dfb7eb3117f645e35ae52d52b641886b9041a8cb8856228914426f97eecabd1b911c0ce3309c345e7a38015f0b2239f87571e958c4577131966

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\0409\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1444
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\System.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2092
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:444
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2848
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2480
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2120
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1356
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3036
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2260
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1636
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SC1CH8sHf8.bat"
              6⤵
                PID:2512
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1588
                  • C:\Windows\Performance\WinSAT\DataStore\System.exe
                    "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:796
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
                      8⤵
                        PID:1544
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2152
                          • C:\Windows\Performance\WinSAT\DataStore\System.exe
                            "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2400
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
                              10⤵
                                PID:2432
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:1720
                                  • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                    "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1608
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
                                      12⤵
                                        PID:2000
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:1512
                                          • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                            "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1860
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
                                              14⤵
                                                PID:2104
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1868
                                                  • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                                    "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1708
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
                                                      16⤵
                                                        PID:2816
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2256
                                                          • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                                            "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2680
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
                                                              18⤵
                                                                PID:2628
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2040
                                                                  • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                                                    "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2480
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
                                                                      20⤵
                                                                        PID:932
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:1856
                                                                          • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                                                            "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1256
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
                                                                              22⤵
                                                                                PID:3036
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1132
                                                                                  • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                                                                    "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1584
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
                                                                                      24⤵
                                                                                        PID:2900
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2876
                                                                                          • C:\Windows\Performance\WinSAT\DataStore\System.exe
                                                                                            "C:\Windows\Performance\WinSAT\DataStore\System.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2368
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\WMIADAP.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2624
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2984
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:484
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2492
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2296
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1928
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2164
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1748
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2124
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2116
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2000
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\SchCache\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:872
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2624
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2816
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  92d2955b8b05d023e4122bdddea26d88

                                                  SHA1

                                                  0b05ac96e124b5122f1e8ba3b3f6a99771854b6a

                                                  SHA256

                                                  a76266c4192377e4ce87627de5c1e99a4f2e7509bb4794a0f34c091c5c3c0f9c

                                                  SHA512

                                                  f09761342f9818980dc93b22209515ae7d17e40e30f05d15ed007232cb66fdab08dad543fb1772844f7fd3f5c8e4a60cf80effb54f4fe21f35ac6f92a3c2772e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  3ad1645a58c58dea223ea30a8f2a11f6

                                                  SHA1

                                                  0d8bc6fd8648f8f559ffaa7b847e83cd6d26da65

                                                  SHA256

                                                  879d9a9ead455ea1565f17b8521341908b150dff628b93aedea4714f8971e663

                                                  SHA512

                                                  105b71ad2d18763c5f43e35a1c682e96a13358764b863b9db8ee0b93e216083cbc3e337cb42b0dd10f047c69990b9388ce35856b10e799eb2f2ca16a0740f889

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e7741cd0a4f5cbe92d3ed3e7081bbfb5

                                                  SHA1

                                                  70c08bcbbe78ebb6edef7e070d4dedb72137763f

                                                  SHA256

                                                  2e36719218c83e878d48f79d7a7af50d0ed0e4437363b6ef1d7589d986ca8014

                                                  SHA512

                                                  fdc24960f500459ad0b346e2b488a931a6135d3c6e19eb3d01f15d2687f672bb8a5dab6d8e579ed32a738aa72055f4cc18add9a6085b243edecdea1c12ec7d09

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  90b6464d7e743ee0f7dbc5478c29a1f6

                                                  SHA1

                                                  ab52ecd310545d88c72ed330bd599cf6465b0476

                                                  SHA256

                                                  addd92524c92266772639a925e787ad9f1088ca865e142e1e94defad73fb1b61

                                                  SHA512

                                                  288fe59273087049095867f6d4bfc40e068c577ba7950a226663bab5c4b5fa10265e48622c6e9f6e146a5e3e16cc5da9927e35bf71a45721b818202dc39e6c78

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  8349a4654e6530e08bfde2deb093f420

                                                  SHA1

                                                  33072db3c944fef34a07ed188f6e6b27ae02ac96

                                                  SHA256

                                                  bb48df13dabf6f5f0535f6bce8197609cad3955ebbeaa035bcf297168f33334a

                                                  SHA512

                                                  0b7a3e974d826d0a6952c54bd243d01f95c3bbb149f0c2615cfeac3c27f7d889016fbc33256b9708b49488300522bc32bab58ab2c44055d194536ca3b8958834

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  ab217d2bcc72642ba22af7624284df0f

                                                  SHA1

                                                  3a7d5d5cb92d345963a2aeccbe2e488e587510db

                                                  SHA256

                                                  4cef1f01653464e393ecebc9b0a7c217ab864fe61fd365a45cc40bfb1bb8ade4

                                                  SHA512

                                                  02338fd2c05054c07785075e6f3b4d0e970a19e610e61e311e914311f3378ce5bcb3bebefe39224e5e0e569ecd8705c0bea35411234ad318563f5c63875e1b74

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  c36cc310862c89675357bb5aa548a2d4

                                                  SHA1

                                                  75f1b24e7d74571c55b48b6b5b3250309182baa5

                                                  SHA256

                                                  240151b1b13e7f54234426389bd8dbe0e3258d36ec54739eb154da417c486069

                                                  SHA512

                                                  add5b2ad6925d2dcb4484a541c709c41d6b029676c028909f0064c50cb54f6deddd0c9c2d771cb01546090b94ef497a1582c5bf8ddfb9eea33e57e6193af5a0e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  67a285133eb03e12262d9b514338e859

                                                  SHA1

                                                  bdc2b18dba66b40e6e626ad15366882787bb45b8

                                                  SHA256

                                                  b7ae10be8343c8ef81119fe65e7388aa34830a6ab63d5e962d991eae85bbcecf

                                                  SHA512

                                                  3bd5f5d7d732feab7131f754bafe329c02988444174271ea0bcf4cdc52970337075712470893fe7ddb4b0892354146d6d44c7cbf14c8d8587aa08101c996074a

                                                • C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  745b9d95546203d57ddc8f9c45b773c0

                                                  SHA1

                                                  194a91344ff92d6782b19c004dc6833362223307

                                                  SHA256

                                                  0a9b52a77314e6b8b2da08d8adfd394bead80d71649b61ec42c355ab2793e7c2

                                                  SHA512

                                                  e1edb86d32400a1250f332166b46fb9a0f80e4e0967d4147825f29c770206cef6839f23e33febf996bd808973f7ec1640b3db5b738d3b93c21dfe64932a689f5

                                                • C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  1cc17bde7e27e6166eef062f4df8d427

                                                  SHA1

                                                  75a526624b86d50af9c9184de2693c96ab18090c

                                                  SHA256

                                                  df09b190ceb0eae6fbee73d9581f128b86733a41ac3da6490ac08f25d7eb84dc

                                                  SHA512

                                                  e7ca4ee93e748d0e2dc5ae34fd3b2a44957c4e447013895f7dc8e831222267e2c57cb1bb51e4311980e6c6ce49d1ebf9aed6245a3a36cd520f5bf649fd174fb1

                                                • C:\Users\Admin\AppData\Local\Temp\Cab286A.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  d9c91a3c460946c28d8a718dea8d7954

                                                  SHA1

                                                  4da509fd373b0faf6ad73c5a5917cc5059bea700

                                                  SHA256

                                                  d60f1b9bdf09d214872498135a16ef1c7600927ac6043d39c91919c9a9833b1e

                                                  SHA512

                                                  8dd7436bacf0c75ff70de878094816423afa70a40dfedaf81d2cf1ee5f7817cddade8acd5278c962198b64a18b77f60ac2e05623561e3f43309486a3dc9e48e1

                                                • C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  388832346eeae10af3cc439a94c974f5

                                                  SHA1

                                                  2d42e0b65ef064af5177fa46376fa0adc989b060

                                                  SHA256

                                                  2305af3f2b3f3f384f0a7216665c5e13831c1ee9e37ab4ef35d16942e0452a7b

                                                  SHA512

                                                  dd93750ad13d56d0f6589dada699566b370c903f6ca359148e83bc36f3af4a798efea18e416ee4a5c49ad0657ccd8b8509f0f58ebbff9f04390b77e24e5f8392

                                                • C:\Users\Admin\AppData\Local\Temp\SC1CH8sHf8.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  113194eb27725630128a060946b9b785

                                                  SHA1

                                                  4b2d09580b2981edce0f5167fe52001f59b0517b

                                                  SHA256

                                                  0b3bc539062df51b4cb6897cbe53e135de66c2e058652f958df5168024c2d570

                                                  SHA512

                                                  8ab20f84d8ff8364a624c6a74c76e06b95369f1d7376c5dc8c8f321fb5da7bcda42ad194fe58c8983f4306606bb440f7cd9288a5d34bd9870c560ca102acb64a

                                                • C:\Users\Admin\AppData\Local\Temp\Tar288C.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  996daefb63f0e8bf79545c10096742ba

                                                  SHA1

                                                  fa47a6804df200ac18326292a594395296f4858a

                                                  SHA256

                                                  b750ba08fc3546fb2fa4d804633f227d93eb776c7ca8224823ad9cf3fca7bd6b

                                                  SHA512

                                                  d795aa5fe2dbe55ca0b49d503d9c6df09c744e1905409d90b3013fe4aca3323d024d9534e4d06bc2d2fb2f3147cf6b657bdec3a3ea30fba30720cd96cbafac34

                                                • C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  b3886c7c0cf3e114776d2e87629c3e4a

                                                  SHA1

                                                  f581c3ca6dac07831cc3d82a0748e169212a7947

                                                  SHA256

                                                  fbd7fc1dd774e7700bf1c54a1dd32fb410201f6a667a8f40719afd546ed5183f

                                                  SHA512

                                                  69f34e3db9f1ff7cde5ed71c5cf3215714ccf0e4830b23cdc7033f65602a563fb933cbd36f4adf3a5da8187eab11148ca09a26d4ac38681d673153530188bb96

                                                • C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  f28e9ecfe10a7022fd003ffebe650c91

                                                  SHA1

                                                  5a033fbd64ed8d7952532e85280bca60a210e4b1

                                                  SHA256

                                                  e334fdfbedcd83cfd04b8aadd2e84596831018bf645f8e7b3520829d067cafbd

                                                  SHA512

                                                  b3f04c098ef6530eddc5c2ce3125725094006824184f7ecb9f3ec20c034c57e1a1a4d76da2563657c0660d5110b39daa472bb5ce3f07c5b1f055d8924a9d558d

                                                • C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

                                                  Filesize

                                                  215B

                                                  MD5

                                                  a6fdaddd55dd2c344b7730e74677124a

                                                  SHA1

                                                  b782249fa60d10a21d5645121086a19498d54c40

                                                  SHA256

                                                  60ed70598d3c9c772e3109139ca21f96f67c9d756123a244fefc2dfb92b90ca0

                                                  SHA512

                                                  40d0e3ebe9228b71932a3cc7891840e40808c152b24cdba4c31511923df4859dfb6c3741e61e3bbb7a7aee0edb1047b85193c3b036f2ce2d2b18295d26d4f4aa

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  0aff3ddf3dd4c0c9d7da8d706b8086ab

                                                  SHA1

                                                  093c0ec12cd814f1f345a830f077b89cdbd566e5

                                                  SHA256

                                                  c89e92446a7f7523f7b8952270e09a6805211576d3af0ac58ad1f264c279740e

                                                  SHA512

                                                  f90e8042df43a774476c1ae6378f6547a2a77facc9d438b1b6b90672420566ae71643c8d363c84788158aab5ef15aa041f17922fa286ee9704f367dd49c6d725

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • \providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • memory/796-149-0x0000000000050000-0x0000000000160000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1256-567-0x0000000000240000-0x0000000000252000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1256-566-0x0000000001310000-0x0000000001420000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1584-627-0x0000000000330000-0x0000000000440000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1708-386-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1788-38-0x000000001B630000-0x000000001B912000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1788-39-0x00000000028F0000-0x00000000028F8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1856-60-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2368-687-0x0000000000920000-0x0000000000A30000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2368-688-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2400-208-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2480-506-0x0000000000350000-0x0000000000460000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2680-446-0x0000000000020000-0x0000000000130000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2848-96-0x0000000002710000-0x0000000002718000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2848-91-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2996-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2996-16-0x0000000000A10000-0x0000000000A1C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2996-15-0x0000000000A00000-0x0000000000A0C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2996-14-0x00000000009F0000-0x0000000000A02000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2996-13-0x0000000001300000-0x0000000001410000-memory.dmp

                                                  Filesize

                                                  1.1MB