Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:34

General

  • Target

    JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe

  • Size

    1.3MB

  • MD5

    e61eccdf0a05ef3fa73691d96fd0d34d

  • SHA1

    cc80f9c112eb61e1c057bcc9b1a7aa97806a0926

  • SHA256

    6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649

  • SHA512

    118bb2a4e4047a0c46fb6dd3e22017e598194a13a74db403107af8b360d7477e264e954488403b38fbe3dc7771a83724948d82f5edb7405164d8ba5a187d27aa

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2536
          • C:\Users\Default\Music\smss.exe
            "C:\Users\Default\Music\smss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2440
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2876
                • C:\Users\Default\Music\smss.exe
                  "C:\Users\Default\Music\smss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2268
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
                    8⤵
                      PID:2684
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2488
                        • C:\Users\Default\Music\smss.exe
                          "C:\Users\Default\Music\smss.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2820
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
                            10⤵
                              PID:2908
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2056
                                • C:\Users\Default\Music\smss.exe
                                  "C:\Users\Default\Music\smss.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:568
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
                                    12⤵
                                      PID:1276
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2120
                                        • C:\Users\Default\Music\smss.exe
                                          "C:\Users\Default\Music\smss.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1772
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
                                            14⤵
                                              PID:108
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2812
                                                • C:\Users\Default\Music\smss.exe
                                                  "C:\Users\Default\Music\smss.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1224
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
                                                    16⤵
                                                      PID:2820
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2056
                                                        • C:\Users\Default\Music\smss.exe
                                                          "C:\Users\Default\Music\smss.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2764
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
                                                            18⤵
                                                              PID:308
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2204
                                                                • C:\Users\Default\Music\smss.exe
                                                                  "C:\Users\Default\Music\smss.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2064
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
                                                                    20⤵
                                                                      PID:2216
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:876
                                                                        • C:\Users\Default\Music\smss.exe
                                                                          "C:\Users\Default\Music\smss.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2016
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
                                                                            22⤵
                                                                              PID:996
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2348
                                                                                • C:\Users\Default\Music\smss.exe
                                                                                  "C:\Users\Default\Music\smss.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1660
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
                                                                                    24⤵
                                                                                      PID:1080
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2308
                                                                                        • C:\Users\Default\Music\smss.exe
                                                                                          "C:\Users\Default\Music\smss.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2608
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
                                                                                            26⤵
                                                                                              PID:2696
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:3000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2664
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2660
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2488
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:660
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:308
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3028
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2968
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1508
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1496
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1268
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2456
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2736
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1100
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1144
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1200
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:108
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1732
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1372
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2216
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2016

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    c9db2b3f2f66075b3bd759a3b9d95518

                                                    SHA1

                                                    99d90e97463e48d285ffa3c750c901a09d0507ac

                                                    SHA256

                                                    1db37d6b43b4319e8e0f3f4ddb30c39a5740a7b778e19fbb561ab162812bfbb9

                                                    SHA512

                                                    51480000ddc5db6b1b8a216af7fa593a20afd7000c0326ac194c1724581cb1e9d30a6fa448d6e973ce75d5ee43bc3be89263e0239a6e95de38cb97796ea98e90

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    4fd2a9a5d311e4aa1fb05de55715640c

                                                    SHA1

                                                    4e85edd7ada08913c369f10d41c664fc8717c9b6

                                                    SHA256

                                                    85ada1798bae0a95fc9b4e166c1d097f7701e332ce0976659e671ebedfc3c719

                                                    SHA512

                                                    2c3f9fb0328e5f3b1a6a039c3a34fe505389a75a5e9e57f06cdd65b078b28ee8d5dcaa150d9f4ce5d4d36cad7f48b3aed15e19ba32e1d7c51156c466d8f083e7

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    a9acab142f07489f3d3f35e2c4901ff1

                                                    SHA1

                                                    6abc081f90a84250d8c9bd0ff580269f61d1de4d

                                                    SHA256

                                                    74b783d9bc6391977530cebb9841a89afc792c1063066d67b82141e2817178c6

                                                    SHA512

                                                    ac270b64a975efa5f2d637136c9d6a49c48841b5b4264461816062a4b8a5f76ca3c2b21a2ed956ef77c7cf17b946ebbbac98289aa5ac05a4339ec6ea4e920d55

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    3495146d54816ee6fbbb4a314645a980

                                                    SHA1

                                                    57e107822ea1326b2ad4771cd6e8f779f4a07e05

                                                    SHA256

                                                    a4d76a0f2740f0585370641541de4defdb83706b0b04d984e69fb6efb33e4c33

                                                    SHA512

                                                    fb1f73f50d924136fca9a5a50332f02e5178cc5fc444c873d29af6baec04d0862ccca3984385635ef403b4549f035e0d6ac595594f369ed343a1423019ed1b46

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    54f6df09f39fbfe16f0c2544254338a0

                                                    SHA1

                                                    08498cf7b152ed298e635c9b5d00ec0cf4a8cb21

                                                    SHA256

                                                    c24569cb56dcdabb521a01c385c7d10e5be2f27869ab5b959011a20a8788edef

                                                    SHA512

                                                    f8e1fb46daae74ba2b181d38a01fb59a45a1c8629fee31feab9ed629bc5b26939a85c98b086fe3dab04a7bd7dd5ddcae514a6a8450864e11dd37ca2b78a09437

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    64b67b7f8d021adfd200846add1da229

                                                    SHA1

                                                    ec4f646cbd57b4234ad61f8f7c487dee62fa5789

                                                    SHA256

                                                    ff0261bb95a062119a7ebc54040c836d05459d0d12efee9f1659047d83dc7f76

                                                    SHA512

                                                    607791c3e3c4b81d3df81a9f7f62b8aee5890c5209b01901acd5a1586584e0bc9e9ccfc91cf80d54ed7302ad88f3612b5fe6ad6f57dd8221e2ba2fe04d2df674

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    311783d83ee243e7ba627226e74672a7

                                                    SHA1

                                                    77a5d413b0ccbf2028c1ef544c76a3d7e5d4ded1

                                                    SHA256

                                                    1620e0627a9bb212dbdb705eefef4d3811d721eda44aeb0afda9e61e53cfad33

                                                    SHA512

                                                    671132be8c054b0765638aa1e8cdbf0f04e342c7fe5ea28f175e86b90e25b27756d8f71e18ab72326fa39075b6c3235f4861a016bad7742643cc1a06694004d4

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    3ffbcc838e8f3d32dcdce2c607d92ecb

                                                    SHA1

                                                    b0ce79890ab769b48a2e4327b9d6b5cf4e72a01b

                                                    SHA256

                                                    edd1602ba77206e956aff4ae5c1c0cf40edb97722e9b97be18a9b20de221eb71

                                                    SHA512

                                                    e19f29b0256eb347b2161db2e3c34579a7aa26846779deb998e99c9d2bc487128c1070c80cc9d5299cdcb23702e93fae9acf7a55a0146cd9280faf246837959e

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    1e28f25c55ccdc745340f841ba32aaee

                                                    SHA1

                                                    10e7df8faa9862079da450c161ad21ded78a77d5

                                                    SHA256

                                                    d459c5a2c2bc1110a8c089266f99489322535dacc030f8e2060001cb2e1d4e8a

                                                    SHA512

                                                    3c1eea7f0180c63a28c3fb5e87e6bb6c9b13df63f008f322260fc5785aeb5877eb889192834a405fbfac9850d90a1cba235939f6455ee6d83747af771b6aeb87

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    43bbb8d8bf5f125bfb49dddf633066b7

                                                    SHA1

                                                    8eac2551a14e4e015d0e5adba791738519ad81d2

                                                    SHA256

                                                    21e64dcea0a4d1f1fbe338f97cf1e2f3828b40a5e1e57e80c10cf5e7b01eee48

                                                    SHA512

                                                    8f49b6578d5de67ecd2bdf240ca86ce8fd41d73e45dc5338a26ea947caffe099d810c994c7669913a818da9bb6eba1bd071ff341f34cd2f863fa86d500bda2ff

                                                  • C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    ae9ab9adc02718aba7036feab021d2fc

                                                    SHA1

                                                    2228cb1f3c0ecc51bf0f22b6ca5e6ffbfa854d37

                                                    SHA256

                                                    8c146e662b16f2236dc8cd228ea3e00ca14cb3605d8b2530de6802713bd185d5

                                                    SHA512

                                                    f0d9da8dcf069dc59b2917e36de6d4d9d3caa54fd7cae17b62b17cfebbd7c2f60f71d34bd9570d72a98717d2b17e06674575b29fa650743be361d48f12302418

                                                  • C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    0dec298a6de8fd5fdfd72f475855ff60

                                                    SHA1

                                                    f9ec42e2514799aa165b7a54942d13ea67c3381d

                                                    SHA256

                                                    329569f9eeff2a9463a3220a2480abf6a62730b9e9c614d48d1ecfef279b738c

                                                    SHA512

                                                    06d0f5bd9c3522a6948a6c2f4b57ae85550237e5337ea970b85acbd9016cd8c1c92f3db7543463117241d98f1152329aab1bcae3c0b1ac6e1697703fd3391935

                                                  • C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    971d20d9921a51e098c2c4c9d92e8d13

                                                    SHA1

                                                    52cc370d0c0012db87503292466c0ab184cdcf37

                                                    SHA256

                                                    dcac3bf370d6604b819e41a924897ec93435f7af132c4936685c6377b752238d

                                                    SHA512

                                                    bf438b676869d2da10c8bcdf68b2978ed48c2e2e1a377f88dc7adb759ed0ac722244f0bf7fb3e651332924095e679957b3ce590c672d54ab0bf196c1ce7c206e

                                                  • C:\Users\Admin\AppData\Local\Temp\Cab60.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    77a218b732581257d5b63d9ee885e0dc

                                                    SHA1

                                                    cb2817b1ebf8714db34fc69e3a40ca0119c40ab3

                                                    SHA256

                                                    ab2cb99993360eecce864a2247e3301a3b8330dffa132510c82441d217ed6877

                                                    SHA512

                                                    2b92bba409d81d7a7f6be0e44695b6483a67739874a781e7b7bf2f58cd404da82f3b784a3218e1a3d78fbd6402c5d8478c83c22d742394907de245b25287f5c0

                                                  • C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    990a7c62da5657209b5c55352b687c4e

                                                    SHA1

                                                    2dc42c87ae1a269b3b1dcf549f213b1f7cf8aaf6

                                                    SHA256

                                                    9440cfc08e51cdc9cb0c4e3b045a7c85e40ec5a2984172d35b3750d8416ae5af

                                                    SHA512

                                                    38c4b07d9d71ac3d0a4f000909781fc9cc4543c3a068eae65fe9bdeecd999d7d809e1c00a907d4be6d9efcca9d5ce7afd5a37ac40408598ced348ad815f98816

                                                  • C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    fd57a942a6f6c34d30312d3bf95b9360

                                                    SHA1

                                                    17b8c5aa201222577403edae31771a725ac83540

                                                    SHA256

                                                    801812208e493f240b952dbfa36f03c24c1d6cca4f58f57c29f2f020ac250450

                                                    SHA512

                                                    1672f5cd9b6790fe314c279a921baf6b70870197dfdceff78925b958c921abc347327ec19f71c7ebe04205c028f72abc065fe25cfdc6c2737cb37550d7a8a24f

                                                  • C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    33ecaa8e7bb93f61534f87ee29b2ef15

                                                    SHA1

                                                    76462b4b379fe7a618784dba6c75d494d967da6b

                                                    SHA256

                                                    05b774198d26f9f7c9fc433363a991c1056f148e3e6c3eb4766294d829c28c09

                                                    SHA512

                                                    5987073e49c60ba97451ac542ccc2717337706bfdcab72fbd2f60d2c07ccc1900c0ce3537bb5e705fa998d66fdfc8ebd3d189a3c119b0a80fcb32e922f85d324

                                                  • C:\Users\Admin\AppData\Local\Temp\Tar73.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    381a7e330a51e4fe15d37705ef05dd7f

                                                    SHA1

                                                    b03540cf035fcb3900e75df5b643d7d08ba88bea

                                                    SHA256

                                                    a637eacfab6b845056059032bf75cc026137942b3392d479cf4fc8a4290ac104

                                                    SHA512

                                                    e67b4d3fc8641395d3e8fa722dd03f60f290c511aecb9d43cdeef972ad0e39e5aa4feffb4ec6433b80262ce2f1ece65e1246c766b8335fbf505f569140388fb9

                                                  • C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    fbe3edd495c172a3aa2a6a6273ff9c03

                                                    SHA1

                                                    2a8f17f82f8abd58eee2f2c9988606947c2a4043

                                                    SHA256

                                                    3bff811ca1eb38fff6ed7f125e98ccb0a03003bb742b801ab9084916475cc59f

                                                    SHA512

                                                    90d104ef9898749b0304daf24df5ff0941c536136196c30212faaad779a7f933b71279c3a37ac9b8a8ebd4c900035a77a79924f0bddde0cac1dce0c10b7027aa

                                                  • C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    f1aaace5729d77bb665ab5dbcc22c47d

                                                    SHA1

                                                    b1cd8419af98c012bf781b27eb176fb03916cd19

                                                    SHA256

                                                    bc8a4eb57ce9ee8a5f5cdc279f742bc1b01d8f313e39ed52cac77a592a51b0cb

                                                    SHA512

                                                    a1c49186d4135ee6208f82c30d0d8784e35f0b09a9b5223bbaed016574d1fce9547fe970cbaeb75bab96480ac740959e6f84b52354ebf79500f5995790c87e0f

                                                  • C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    73be6968966a51477f6ea6a1d4123954

                                                    SHA1

                                                    ac13791c42f74051ff68c794f585d94b6b55b790

                                                    SHA256

                                                    2a370102b862e275269781c2cef55bb49141b0c0c4fa43145f73f23205486d9b

                                                    SHA512

                                                    0b89f365ae8d0bdab0b9146ef0b0f2ffd5f73ee4e4dc86ee31bc9e7bcaee252c3e5201e8ba5427177f784863cc4f2395beb0f354ce087a34ece96c655c6ca850

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R5M4O1NB35SVFCG239TZ.temp

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    614222d83d48fa35060ee4cdb15e16c8

                                                    SHA1

                                                    1b49b086d273b1302e99c3bd4a9ea73a0bef7c09

                                                    SHA256

                                                    d0614b0dd65dd3ed1db9ecc8d11c27902d69eb48d2a930a3317e31f56aa7e8f1

                                                    SHA512

                                                    ce3629d18cbf56da2ee7b8c8a328bdcf9b3a1e0f558ea570cf4a6a767a10fab7d487037b261921058539e0313bcf3ed6d3b90a10990e54bfe629d03817e20bca

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/568-309-0x0000000000340000-0x0000000000352000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1088-59-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/1088-58-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/1224-428-0x0000000001320000-0x0000000001430000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2268-188-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2748-129-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2748-52-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2784-17-0x0000000000180000-0x000000000018C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2784-16-0x0000000000170000-0x000000000017C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2784-15-0x0000000000150000-0x000000000015C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2784-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2784-13-0x00000000003F0000-0x0000000000500000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2820-249-0x0000000000340000-0x0000000000352000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2820-248-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                                    Filesize

                                                    1.1MB