Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 19:38

General

  • Target

    JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe

  • Size

    1.3MB

  • MD5

    e3752ee088cc42b47b21d172c8ae5526

  • SHA1

    9447e240b9c850e362b0047c3f4c3db58589a43c

  • SHA256

    ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8

  • SHA512

    a179a3671c79c1fed0efe2c4efcb702aadd20a610b6d819f4139a84427e916d3a9af4528b7aa2d9186a644620c725393a19cedd79f64bbdd35fde7dda8ce42c1

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\fr-FR\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat"
            5⤵
              PID:2924
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2340
                • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                  "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2928
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
                    7⤵
                      PID:536
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:1604
                        • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                          "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2920
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
                            9⤵
                              PID:568
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2784
                                • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                  "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2132
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
                                    11⤵
                                      PID:1664
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2128
                                        • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                          "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2144
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
                                            13⤵
                                              PID:1100
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:2716
                                                • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                                  "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2508
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
                                                    15⤵
                                                      PID:2784
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2676
                                                        • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                                          "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1532
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
                                                            17⤵
                                                              PID:2192
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:636
                                                                • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                                                  "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2304
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
                                                                    19⤵
                                                                      PID:1480
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:940
                                                                        • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                                                          "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1264
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
                                                                            21⤵
                                                                              PID:2804
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2600
                                                                                • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                                                                  "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1644
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
                                                                                    23⤵
                                                                                      PID:1716
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:1984
                                                                                        • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
                                                                                          "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2852
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2684
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2392
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1492
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2284
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1064
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2760
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2164
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2068
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:892
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1832
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:912
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1712
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2292
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1928
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2380
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2340
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1700
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2320
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:536

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  456b8ef188133520ae0848f9bb63d3c8

                                                  SHA1

                                                  236de0364d6e99e6f2c579754b9cc959f200928c

                                                  SHA256

                                                  4d6ecf640f6690e530ca28c937b9807a23e67b86b1d765b8de9a44112630eccf

                                                  SHA512

                                                  b2a97d567362ecc0b39a019750dab67e1bc53332de1866f9f73ece617c39af49f14735f709318c03e07321c482401518d644e922f74028a62a767e560771e3b9

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  16e6730f65ed8936039a65e6b42d1cdf

                                                  SHA1

                                                  4b2c4e7edafb8c62d6b1d696f45644d86ae7a48f

                                                  SHA256

                                                  7a75bde31eb0293e598817235210f1c1997161004839115ae8c2a48e99d6756f

                                                  SHA512

                                                  61153255c9b2435ecb355599a90e1b8959087eb60c3dff694b279c4121315d8a5a675888d0235cbac3feabfa7128ae8f300a299fdc2d18a5b7156b6ac76c9dc7

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  cb264d8bf97b2a415c3bda1145138b6b

                                                  SHA1

                                                  9557583208b2f6711f8e1fd074efae29763baeee

                                                  SHA256

                                                  31c4f9e327d964548c13580cb2bd7333ff559fb8e66616e750e8c6c7172541ad

                                                  SHA512

                                                  ff68b0036015af8bbce8dca8a54fed84162c2c3e48929aa52adaa5e0d441bb9b644c8a3d806d3c9c0581bfc704a8a50457f7ebc20e4a2e31bc2f82f3650f5544

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  0807d34a9eab702c04b8abd8f8063750

                                                  SHA1

                                                  c7ca1ae6604a4ffda07d966dbb9d3fecfc4b06a7

                                                  SHA256

                                                  98530b23e701e1983853c1cd5c0d81748808c5164ad90abe346e8f19180a3fa9

                                                  SHA512

                                                  aaaf77a693c109fe366453ab29eec255148759ea8eda85c5d4745e0acdefd61857789c1bee2270fb79062f2f271c757fa6ef42dc00857c96eac3e007ed3cdfc6

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  959010cd9a3e4e89316cf8e40beaea85

                                                  SHA1

                                                  f080deb643e62243ac02ece09639acb60b5875a2

                                                  SHA256

                                                  8645870aaeac5fb43e41033572bbbb6ef0e866a4c64cb6337256e8c6a573e8e1

                                                  SHA512

                                                  4b5e8118c72d4cf6c46c6b03c52c8d102bf9084a3748199665ce31cbe3f20088af34e2a2cc10982fb690091d29b4a16a4c89aa4f9ec240b4cd1c0314e94a794e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  0ccf05fc4fca8a5494f77a78bbba08e7

                                                  SHA1

                                                  dc9441bdd0bc1f4360d23c6ac4fba574e32f3569

                                                  SHA256

                                                  53ea12ef6e846bd0c5100d063c566ff71730c0afaa40ca2194762e1b427ed9cc

                                                  SHA512

                                                  385dc2ae7ef414390e47ac02ad4fce3827387b215f4a09ee7d9a7f8d180003b9f36290b6e89f3ce452ce1a083a3c7437481679ead88f64b18ee3ad41af3daf6e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  6ccc6ad1e01fafa58ebf017d666444bb

                                                  SHA1

                                                  4a68bdb06b4906ea322d0070ee67fcf4472318fc

                                                  SHA256

                                                  52d4a162f038ec16e9d2c59426d6e1d072f4f6efe11da4fe8e58d9528968b915

                                                  SHA512

                                                  57c44d699bb53d00c7a0c286925ba6f28176ce73297db141eb9654173c3dd08b27528026d5e63c4e6910df62f9052c83ff8b0bc9879ed949d820c514f9b5b69c

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  24ac099f14a4f104859a918bdf304173

                                                  SHA1

                                                  ad547c527338f3779de690ee32366cf256467b94

                                                  SHA256

                                                  ec01912941c4da47868a0d5e4e79eeb1034500b627163a057446930182bbe6a0

                                                  SHA512

                                                  bedccdef01fe5771863e0bf9fbef3c2e2ffe2a787b92fd6865e93a887e79d394e76924eb8a27b7c6058bf3ecab98f037a3cdacbbc0cf26dccf4f11bee2e7f4a7

                                                • C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  e243a90c72f4a3373441d214b1c5fbe1

                                                  SHA1

                                                  2fdf55a1effc09ad2600b07c50391b638162bf08

                                                  SHA256

                                                  6605ad6935c3e3cc5900b7e56a14da4bebdb352d93648ed290ebd6ec3285d9df

                                                  SHA512

                                                  c4186a0b2663290e0d1d44cd8cad5c98740c7cd83aac75ac012980cc9d1d256ec0c9ce0dbf795da5c90d3303e59fab383df426db9ae740668850efbc53a75824

                                                • C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  31625a0e5bb16e5f06e58f03c9c385c2

                                                  SHA1

                                                  8768cfb863f0f800db69f394e666b4b93e8633b2

                                                  SHA256

                                                  65051db0c8e095ba16bbd2ad6ca08401ee36a5d1ea87f438ca6da9dc9cec8eca

                                                  SHA512

                                                  c49dc4a4fedf19de787242beec9a11ffd89843840faa43617f8206b03c336650b4ec3425729045bc9b502ab09743d15ad4526337b05c68fe2454a27c4154f344

                                                • C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  97f7e4965159349e690ba9846730dc5e

                                                  SHA1

                                                  4bac3ae9fe00409dbf7de35348c9adfe6a0a520b

                                                  SHA256

                                                  aa6f5f1ffc6b7d80183937c244d83d46d29c2a4b4e61896c6dc4f9e3692522f1

                                                  SHA512

                                                  95059a8e36be8d2c6dc0e5a8962a89029ac2db6e78958e7fc850e081d3182e79d6f1e07536ddc6de99aa43a3fc6702de47c96f7a37a05e4575121e6499cf983d

                                                • C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  0b4688e256931570dd6d14f4815d7b2d

                                                  SHA1

                                                  f59f36919882f85a1ddaa61bafc9e585bf9af58b

                                                  SHA256

                                                  8a4b11e78e175330f6412cbd72e76b92f732da360687cb483f3871ad449d2a66

                                                  SHA512

                                                  b7516f0587ca1527f6fb6ca3f7dda7a24e57c04f592604477d9d0042f1cd2a103cd1632069b074ae7847ab140f4f9f1ca9597cdaf76cae462a04f536b3b85947

                                                • C:\Users\Admin\AppData\Local\Temp\Cab41D3.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  11c4e07a5a64d17f181dff9476d2dc96

                                                  SHA1

                                                  9ff997e24c622601f7ea36a146f3eb5a8212895c

                                                  SHA256

                                                  03313685cb2065d77852dadb6c6b8250faf9d6ce32735d90660d448d4ffbb5b2

                                                  SHA512

                                                  44fc1c800832cabdd57d1694b18835de1418ec9bdbbc49765800e94af01cd466f30cebccc7e6e66e29644d9a186a26fad1bbea432056f46bf3c817a785b2be0e

                                                • C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  f82ba89edc6ad2d56640e576f2fa4694

                                                  SHA1

                                                  9deac0efb2db60fd80adc8d0ef6bb3f368384489

                                                  SHA256

                                                  d0ec0cfa1ed30f85559545f3c6e83cd4403a87472d2f0f81939d816cd88d5d25

                                                  SHA512

                                                  b6e3bab711c3b8422e05c729afd4ff0f5f4798f98b320ee9ddccce335b1ac39f1f0562c1cf8ed93a465e21bd52cd7e5b6372c1976bb127e2e8091ffb1bff9ef5

                                                • C:\Users\Admin\AppData\Local\Temp\Tar41E5.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  7dc01dae3501e2f80aa973219777c893

                                                  SHA1

                                                  e6c419ba8b92bc942fcf153c50e4e97764585b78

                                                  SHA256

                                                  dae77823b8211b61a1b369bfd00eaaf092a0a0cc60fce7432c45a635c3727c52

                                                  SHA512

                                                  aa5d5eb98aa2cf4529bd8cdef69a61586a4640802c5068fa91c2f720e745cb16a82231a6f387c1b28ade25832ba0d14b917d402aad1fb47036b8c4307a2f5344

                                                • C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  682c3154232774ebabfc6d48035ae321

                                                  SHA1

                                                  fd7b1f362822b17a30b92b176967f4989a5b4c23

                                                  SHA256

                                                  4c972acfce6c271e68ae8ed67d6cc09f87e63f102ab6b3c0047aad2083273c00

                                                  SHA512

                                                  0703cf9c5ef2dcf512ff0751b00c6fa1b98c99dfa387478387b8544c3e3c520dfc6bf9195e7024740d35c5a866fa478f65b6c0e7abd265c01e31802b6a6dba57

                                                • C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  c641a2686fecd0d81a6b43fca3653825

                                                  SHA1

                                                  cc1f4c7b3aa0efa1f7a51d917fddd371b3aa5c38

                                                  SHA256

                                                  653dec7999ab0e83a1bb07d5bfe00085ee8d8f1b8ec0ce8db7182615a54106e1

                                                  SHA512

                                                  5902e00e3e22a8b158465160eaee57b318ddfccb27ed652b78cb9cbc74a7796ee708c7a28eccec96564f7751c37ed11472b3672c676948e4fba648a65203eae6

                                                • C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

                                                  Filesize

                                                  226B

                                                  MD5

                                                  ec125ef596af446fbd5883ccb82c3ae0

                                                  SHA1

                                                  7384be108caab0888657141fd0c15af7d68023b8

                                                  SHA256

                                                  9a39f2779a97bfa8ffe25245e156497fc9b838333f46504d1b69828e17e053c4

                                                  SHA512

                                                  f894a117a5897fc39f2e2c7028500fdd3002eaa659bfaaf7f863adcca1f4abb6080eee3ff09fa7f383f2e34fa6cb0113a4bbc577d0db479099345c25b6453d4e

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  87b41dcc0767ad387ddd3492be40d4c9

                                                  SHA1

                                                  ddba120cea1f52d1435d2d18ee9b867adf62b4f6

                                                  SHA256

                                                  05299005df00b1f87f5938c5231fe3045034ef476f1e98091abf8f83e1053e4b

                                                  SHA512

                                                  808f3beea439971853ac3ab0aab04db14e22889cf64f3b4ccfc9f18f775017a0a8aae26a42f56e539590ce5832674ae22967260ba00ad8784c8c79ba6bff11e7

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • \providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • memory/860-15-0x0000000000990000-0x000000000099C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/860-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/860-14-0x0000000000980000-0x0000000000992000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/860-16-0x00000000009A0000-0x00000000009AC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/860-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1264-563-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1320-99-0x00000000020C0000-0x00000000020C8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1532-443-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1644-623-0x0000000000240000-0x0000000000350000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2144-324-0x0000000001320000-0x0000000001430000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2152-81-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2304-503-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2616-683-0x0000000000B10000-0x0000000000C20000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2928-147-0x0000000001220000-0x0000000001330000-memory.dmp

                                                  Filesize

                                                  1.1MB