Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:51

General

  • Target

    JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe

  • Size

    1.3MB

  • MD5

    2dcf50553b85232a9b945cd6cba51948

  • SHA1

    d95edd641d22ba757a62e2e95944bb7ed9d5fd7f

  • SHA256

    c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb

  • SHA512

    ac47089aa076c56f770eea97071bd33fb07def65eced5e6f9aa98bd345aa947650dc1e00bf6b733d8337c0548b7d5dd7b0f63660cb01f4b8c55073a2828075cf

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2840
          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
              6⤵
                PID:2760
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2012
                  • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                    "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1404
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
                      8⤵
                        PID:1972
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2632
                          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2636
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
                              10⤵
                                PID:2552
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2460
                                  • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                    "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1608
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
                                      12⤵
                                        PID:1988
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:1724
                                          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2364
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
                                              14⤵
                                                PID:1968
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2488
                                                  • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                    "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2864
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
                                                      16⤵
                                                        PID:2312
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1652
                                                          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2236
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
                                                              18⤵
                                                                PID:1516
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:1280
                                                                  • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                                    "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1496
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
                                                                      20⤵
                                                                        PID:1644
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:884
                                                                          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                                            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2980
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
                                                                              22⤵
                                                                                PID:448
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2876
                                                                                  • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                                                    "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1120
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
                                                                                      24⤵
                                                                                        PID:2532
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2700
                                                                                          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                                                            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:980
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"
                                                                                              26⤵
                                                                                                PID:2112
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:316
                                                                                                  • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                                                                    "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                                                                    27⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:904
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
                                                                                                      28⤵
                                                                                                        PID:1884
                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                          29⤵
                                                                                                            PID:2932
                                                                                                          • C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
                                                                                                            "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
                                                                                                            29⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2540
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2372
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2636
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2864
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2676
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2512
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2532
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3020
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:828
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2680
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1096
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1976
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1548
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:300
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1652
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1972
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2444
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1364
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2304
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1712
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1728
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1892
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2820
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2012
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2940
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2992
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2952
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2600
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2500
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1400
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:348
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2176
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2340
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:836
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:964
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:960
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1932
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2344
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1916
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:884
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1140
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:788
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1600
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1560
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2920
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:572
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\conhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1604
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2280
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:876
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2224
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1500
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1632
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2088
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1840
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2456

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    e14ff7b9fb61c32eef40e44c612e4b9e

                                                    SHA1

                                                    2d33b109618c15dc36be7e9253a68f5499d1e561

                                                    SHA256

                                                    28612bfd18aaf226032b4087697f65786b330024bc3b34527569cd2bca818e36

                                                    SHA512

                                                    3df145dd8c9bb51d7a97cbed48ff7f66f5aba362007bb831e27072d7c45780b6ae445dddf84c58adaec87303c9d310fa9793dda2149bf040f5cd23a1dfff39de

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    e957c8153f6cf01fddfb1b055d8e13a1

                                                    SHA1

                                                    3ba8cf2240841b63ba27bc41c5723fc04a1cc251

                                                    SHA256

                                                    355a96f2f13cffad542c95c5f3c04bbe1fd08df8a53efc597ac47e779ecde7a6

                                                    SHA512

                                                    c7441420026196496244cfb526d3f308e4262d8f1e8674ca0eadea347699220beab7b646fd152fada8aec3dbbd1bbd80098e329a557c16a552a4f98f48e95685

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    16f69d3838dcc18fd901f2128082373d

                                                    SHA1

                                                    aded4e5fbdfb3d11db2f8365d1b86b4123256179

                                                    SHA256

                                                    d1541cf03ce09427092b077e0f3bb8c0d44b04a8427dcb00380be12bb65aafcc

                                                    SHA512

                                                    a5a163e9c0e9baf8e93a9aa503ead23af0949be7f0fae45c083e92501c8f1e5cf289d3aa9e53c9c51b1a6659a277b59a18b3e8e5eae4b38b1dbe7a042b1f9a82

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    f85d84bfa91079da013963aef307b93c

                                                    SHA1

                                                    900e9c347abb25a9f344de43f235fc372fb1939c

                                                    SHA256

                                                    d2481682d75d392e0fc55e0e87c18eea21bb9bcca88408aa7774a692f526d2f6

                                                    SHA512

                                                    7a445be5e3b4e921300a98a6c5d7d7b0e050b654665883baccb91dbab78d5d2db7416b947a419068454262ba158f4e65b6424f49a789cf85e945d808fbfc6edf

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    b30e76830fa0afe9e1ac57e62c80684c

                                                    SHA1

                                                    97a8f3c9cb557fa5f4c07749a587b90a2f5fd1b5

                                                    SHA256

                                                    7d676848f699f92957d62d6b4d5f1c7d379e1cb9304e8ba852c86c47861fd2e3

                                                    SHA512

                                                    fcf6cc410916c1452cb224746b49b38efb3fb50864c524566aaf876f3581d2c1382159d374530db6d14bc000312f658e00dc9a5362ecb827ac3f45d478cf7e1c

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    060a7a3bd685c81f1b16caab7fab098d

                                                    SHA1

                                                    1e7a2bbd8763be1376dc260ad6d6d1253d1acb1b

                                                    SHA256

                                                    cfa67642ca6cce41f6c4d7714d8675ce0e774cae1354e1148c14d6ba4bbca1b4

                                                    SHA512

                                                    de1e8df69ca99be1ff91b2a07ed23d01c8b28d4f022fb3ee6adfaedd2dafa8cef2cde4d066117db1ea7f5b1d4c21bf706b1673a9046397dd23fe74ae7bfc4a5d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    cc53e2d75dbae3b2a9b1351113c7e89b

                                                    SHA1

                                                    1f9f5933d1ac1e792d99ce6764153b92cebe4cda

                                                    SHA256

                                                    03b7e88fab486d408ce94b708dc93c5554b1513fbf9a7cac046c3048b7a61aa3

                                                    SHA512

                                                    da72aaa6fb4e0c7ec357de5d1f0ec5c7859abc309dfa5b2407b889a191675f982d01065a9a6f30c0db170dfeb00ab1eda269c1bf8b4b6305fce2957432b61b46

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    9bfead367d1e73a32fbd0e4e270d2a66

                                                    SHA1

                                                    a8ad7c096bbf97410ced0abf5c8a1f327076e171

                                                    SHA256

                                                    01bba4b5670a171d6d1a29d30d5b49dcb52e214ddcadcf6b7342aca1d03266da

                                                    SHA512

                                                    5c423e1287d3784c3c1a2115e49ac97e0ca563d28730c02c9d461390e45ecb0c818325d4bc26fa71ebad69408bc35b2613fa007ceedba237383fe569ad4f3c61

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    b5001310b29122cf222b7dd7cd13e9e1

                                                    SHA1

                                                    87a33a213e98fadf783556aeec89783ca74f0d34

                                                    SHA256

                                                    fcfbf1ecfb204753be625c9c038feef0fd92a0f38b7d386678f28bccd69aa6eb

                                                    SHA512

                                                    c551d0751437b496d826f3c42d0da9961018bd3a992d0dc589d20b9079a0ade7cfddab8129ac36f847696be212d33cc1c4b0bcc8cf9b1911c99f4b1c0ac01f3b

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    2a5b05611adce55823d4bd4afe810a0b

                                                    SHA1

                                                    3dae7a4de156605a005583b6e0befdadcfdb3ce3

                                                    SHA256

                                                    df040f99bb0cba732b847a318ac4a1daaa34e721c802ab5bd1e25d620855b45c

                                                    SHA512

                                                    89e267edb4cb5d62a730087f7b477644d53533a73a334d2fd1e5ae351f1bc6c7edbb49bd2a557fd336c4cbe8d54232c0b3e9cec152fd4188c701b0cb28adf3e1

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    f1fb4947442907cb26436094f68e2127

                                                    SHA1

                                                    8a1e8f7461a834f7045a37cde51fdd326d688473

                                                    SHA256

                                                    d1f021916222f27dac72c4ec841ab2fcd41c49f3403e6b60def098d1b561e232

                                                    SHA512

                                                    fc99beb0996112894881cd375eb41eccaa6e6bf9e3831aaea312ace116dd404e7f5221afd80b6e8fd4b420e1afe6e00b724501b5f38cfb589b31f7645f76e848

                                                  • C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    3cadd4db62d53c7ea3e5086fecc4dec8

                                                    SHA1

                                                    56a64d3c2f8ed9c3a2b9692e7059512fc4c9cc5c

                                                    SHA256

                                                    38939b1d47bf9cb728f3cc5bc73bfe597e02f39aed8fe76eda81d7a59082f46a

                                                    SHA512

                                                    066b19c93596a735493912d0cbe576ed44b4bf4e1e883044700c47c798bba89ee18d4e0b4a5bf6e9310aa48834081552ae3d7601429fd0c8ff86303791d03b63

                                                  • C:\Users\Admin\AppData\Local\Temp\CabE62C.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    e02a08a00f23d82550b767ba3bc92ab7

                                                    SHA1

                                                    5a974f2943e5845cbf9123a60c51bdddeeda0957

                                                    SHA256

                                                    2b0c8b7795e6d5af44ace7db80f98a042d8c041baaec00df8dd31f152666138c

                                                    SHA512

                                                    d2cf294000bf06b6b499a55c9047e3c45287ec8b69a968222eef6bb8920bafc9185b05a794e491138304294fa714beb82692d3a9c515ba516284f6e0a2dc5794

                                                  • C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    07d4280e5365a9d64a9dbc0b4092b71d

                                                    SHA1

                                                    c7b1048a521e12abd6321081b90fdea2c3993bf7

                                                    SHA256

                                                    3f8b346b4acb6343cbe4ed222515bfd5a352d7afec254d2ab8d9bf62b1dbd706

                                                    SHA512

                                                    c317fcf10df54ebd49e5ad4d1c07c5b9bc1e5ed95fae6b2be89f4ca97a602cd318ea2fee4dd6dce0933f5aebf80802945c344a47c78db3d1ba57dcc2495c1a88

                                                  • C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    e49e5397b3d1281280f4d8ef9424223a

                                                    SHA1

                                                    49294525f280708ce45819250cc6380c97ef3e95

                                                    SHA256

                                                    e199f307cd040291a527f4484928f9166c0e612a9da7c626605debeb8346e26b

                                                    SHA512

                                                    9127d7009ce5ba6c68f2927c840bb81713b6731ea683bcc659c473cb556133141fdfd151561d3aaa9bbf597015eba75f6a65f494facb48364d8d95883fea6e26

                                                  • C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    a82357874020e6e7a9ed6dc8f5d9f4cb

                                                    SHA1

                                                    b771c5d00db07e1530d18bd614e63379dfe2631e

                                                    SHA256

                                                    f164d70a7c25e0167c220609d3f4cd78973999abee764238ac8dede5d1f935af

                                                    SHA512

                                                    3d02531b75e8fa56d4d4b24b718dfd2419cf7c291b72e293c896f80ab568b78f7c7ce90f8ebf7c247daa02cae094fc668488665fa3c7678e411550d749579aaf

                                                  • C:\Users\Admin\AppData\Local\Temp\TarE63F.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    8295789218d303f74420bd305b9e9a1f

                                                    SHA1

                                                    c97988b8ba03797f8880254fb663fcafdf6c0098

                                                    SHA256

                                                    4ac0a751166dd3f9b247d1f6be558aec91bed38f79fae3f453e1e284ed603aea

                                                    SHA512

                                                    06e7a6594115a6ac7d3e5df37962f7571c2cddbb9ef52cf1489de1b9f7d2cd167ad4920faaff7aa834399dcaf648613b3efc2163218f4448d579ff27ff3df212

                                                  • C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    414ef019b71fb19c914e43ead6e1bc87

                                                    SHA1

                                                    dfb43cf78e93c180882ce711db0fe84f90f56984

                                                    SHA256

                                                    fc29d2f8963161022163646360453440cfe136665b0cd322d521cdc92df74e71

                                                    SHA512

                                                    b7c8b76e2e720f2e0ef2448092ff306d56fe11c0dd5e0480a63b4013e985918093c843bd5b366b63a60bf99b86cea874a7ba7269d8b943fa0a1a9a877463096e

                                                  • C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    d209b92dd7ea2778f9250095c179d478

                                                    SHA1

                                                    15701f3d89c11961871a58220611e9f1e6947da9

                                                    SHA256

                                                    0e135719f50ac487ef0cfba8c2f06b90cde7bd9c36a0cbf20eba3515ccacb769

                                                    SHA512

                                                    1f737397125356040790766234bf40f2a35985a4a8652b36c5c641fcb31e93e41493da1535695751b76620c6692f3d029b8e3aca7ede47bddcf1e43151f7796c

                                                  • C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    700e38675e203db05afee2308a22aa26

                                                    SHA1

                                                    6d5b898b7fbb79abcecfff3d7812cf9507984868

                                                    SHA256

                                                    38d2110e22924189530949593de7ab0cc9f6b1d612857f207587710943f66557

                                                    SHA512

                                                    3242ff487128c4205f8a6e3ba7c64af9fac03edb16e9188c589ba3e560555540889c5310cc84cc64e0232691bbb139b37f1495747489f3b5227541ff7a22c15c

                                                  • C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    f3ad3d556d1615e22b170e584300ff35

                                                    SHA1

                                                    5be5f76a0efb2e99905589ad7400d1a9413b95aa

                                                    SHA256

                                                    7c542bb6b7570f47a1c51b54605b7f681bd10b3e69cff220a45f01d59d316de1

                                                    SHA512

                                                    941d93439546929c77dcc914ffa32d208a56cfcb091ba5cb334725c1bd89282af5858e98459a2f8507755791be963ee02ec8ec3e74f6a39e702da5b0a939c709

                                                  • C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

                                                    Filesize

                                                    226B

                                                    MD5

                                                    c98cf4f59e25be56a41e85e6250fbc5d

                                                    SHA1

                                                    8177830e69913fc0e85207b4752415da474ab5b4

                                                    SHA256

                                                    d60fb138ffde3a32d3bb189bfae6d14b93065610acc56891ae1dafab6eb6de6b

                                                    SHA512

                                                    998b0432a4e9bb7ad35c222f166c17da35dedd4a85c5bcefc47511abf8aa25ea5d67fafb0dae038eb0a1bc83101ea71aca94d4df4893662cec60af81f0d8b2b4

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BV2YX4JQ2CUDTMU86ZRY.temp

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    4de1668af5721dc142c2b717170ff25c

                                                    SHA1

                                                    45c6b4f908187e1041f7a171811605a3902c8855

                                                    SHA256

                                                    35906ce2b24c39cf7246defef87851abc39f9761c763fe3934c4e4fb17b8013e

                                                    SHA512

                                                    e979759e7cd524a5d1620dbecfb887393c2f4ca488521b1f86b4209661f2b75c127c8f7aca974554f6fd9154bcb9e259b17faeee0ed290f72573cfc6b71fa22f

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/980-752-0x0000000000D40000-0x0000000000E50000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1120-692-0x0000000000020000-0x0000000000130000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1404-212-0x0000000000260000-0x0000000000370000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1496-572-0x0000000000380000-0x0000000000490000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1608-331-0x0000000001290000-0x00000000013A0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1720-84-0x0000000000C90000-0x0000000000DA0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2236-512-0x0000000001320000-0x0000000001430000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2364-391-0x0000000000330000-0x0000000000440000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2540-871-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2604-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2604-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2604-13-0x0000000000200000-0x0000000000310000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2604-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2604-17-0x0000000000310000-0x000000000031C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2636-272-0x0000000001240000-0x0000000001350000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2804-85-0x000000001B740000-0x000000001BA22000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/2864-452-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2864-451-0x0000000000A70000-0x0000000000B80000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2980-632-0x0000000001040000-0x0000000001150000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3060-87-0x0000000002350000-0x0000000002358000-memory.dmp

                                                    Filesize

                                                    32KB