Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:43

General

  • Target

    JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe

  • Size

    1.3MB

  • MD5

    4f01f846774d6aa86f007ff35694f359

  • SHA1

    6fa86a12ba02f5d89cbdeee0f3ec57ba4828c1a4

  • SHA256

    5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc

  • SHA512

    6d0ae358fda729f153be34d4c9580ad1115a05a1a16eca679f878b95351ad4b98c1bb7552f4a0006eb08b91b3d751a0b6f173827645369313e67199eb7ad1ba4

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Afternoon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
          • C:\providercommon\services.exe
            "C:\providercommon\services.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:892
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
              6⤵
                PID:1596
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1720
                  • C:\providercommon\services.exe
                    "C:\providercommon\services.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2472
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
                      8⤵
                        PID:2244
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1648
                          • C:\providercommon\services.exe
                            "C:\providercommon\services.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:388
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
                              10⤵
                                PID:2368
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2984
                                  • C:\providercommon\services.exe
                                    "C:\providercommon\services.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1144
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
                                      12⤵
                                        PID:2480
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:892
                                          • C:\providercommon\services.exe
                                            "C:\providercommon\services.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:908
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
                                              14⤵
                                                PID:496
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2404
                                                  • C:\providercommon\services.exe
                                                    "C:\providercommon\services.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1592
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
                                                      16⤵
                                                        PID:2948
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1440
                                                          • C:\providercommon\services.exe
                                                            "C:\providercommon\services.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1912
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
                                                              18⤵
                                                                PID:2228
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:936
                                                                  • C:\providercommon\services.exe
                                                                    "C:\providercommon\services.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1564
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
                                                                      20⤵
                                                                        PID:2852
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:348
                                                                          • C:\providercommon\services.exe
                                                                            "C:\providercommon\services.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1528
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
                                                                              22⤵
                                                                                PID:1980
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1772
                                                                                  • C:\providercommon\services.exe
                                                                                    "C:\providercommon\services.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2964
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
                                                                                      24⤵
                                                                                        PID:2132
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2264
                                                                                          • C:\providercommon\services.exe
                                                                                            "C:\providercommon\services.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1180
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
                                                                                              26⤵
                                                                                                PID:568
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:2336
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2700
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2440
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2672
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:928
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1088
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1144
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2108
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2420
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1452
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1588
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:280
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2720
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1252
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1840
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2828
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2996
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2444
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1124
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1648
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2128
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1912
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2184
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2336
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Afternoon\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2116
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:292
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Afternoon\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2216
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2552
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2276
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:612
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1604
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1544
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2576
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2080
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2244
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1708
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:988
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1976
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1952
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1372
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1304
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:856
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2200
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1696
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2436
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2328
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1916
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2972
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\LocalLow\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2764

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                12aa2b4bba699528ebbba3916ce36910

                                                SHA1

                                                c3b05db7d9cdf39c51ab255f9449cada64eb9c58

                                                SHA256

                                                cb5b565ee0adaf5718a84beca0090ada4b24e282b207980ea583e2b128bbf85e

                                                SHA512

                                                603602a1b95c025a1f9f374e2e5608510a4f7658dafd45842e676786930724a21928f5fdaf66825d4b635feec3d51ee1f42123b1d11a640e958a567fb1a4a800

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                42b4d26ef6e4239ab0d459e92e949e7f

                                                SHA1

                                                24edb1e8c1359c8b3dbb609b168b4d8f301fb642

                                                SHA256

                                                cd7386a7d7a93b3a7f92a81dacc811ee349e2b53d4e95672557a80ce48aacf38

                                                SHA512

                                                4930592c8c11fd629464185a30cf6c34dedaad018b248cbd8b8bf9cfc5484785465db96eb9e146e8080732acd7b4461a95af8a5ad497719c7ff69c5eaa8019c7

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ecc7eb15867a3be572fa42a60acf47b5

                                                SHA1

                                                6a41913dfcf35db71f1665baf6538aea7a9fa730

                                                SHA256

                                                0d6d1f9814548d4ad7ba472eddfc785939cde9624cc1b8f2560f2ed606e0c02d

                                                SHA512

                                                9c32973553e8e574506c25af12e50597dbc8e5d55532096644b73df72efb4afc0c0e1e66c27cfa1b8a9dfee876a859a174f28d94b0fc438b21de6b1c27f11dc3

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                96fa856948214f104aede73d20a90997

                                                SHA1

                                                0cd9bdcd3ffd1bdc0c135dceec8f6a919ccd8de3

                                                SHA256

                                                d75f8ca0ad66f891b2f9a476e9c1ca2985a69a58031dce03645d5f6226e311db

                                                SHA512

                                                1c45b9cd43b34a644460c81825b9e8ddbb8fb6433533179cc61ba2bb704f68b87cede1510d4165a8449e85faa3ad471ed0f6a96a85a1513ab4ab46f58620b24e

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                a4130a1457a4f3ffa0030386fc6cf749

                                                SHA1

                                                c7814dae35ff1218ef644eaa662f86616a1cbafc

                                                SHA256

                                                433b4d4cd634388e977a939f1733bf10c9830063d26e178048332caad268cb36

                                                SHA512

                                                c4702ce9f2a41f2671db0b85cc6afbe062aac30bad6b737bd13ec59fbc3f4eac3a3d937cf1eb286c42a726368b50fe47c75dae188ccba53dbbbae65c08067970

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                be16c823fffad9f12b0834e6d5dac598

                                                SHA1

                                                ff6cc374b793f19a44419773f2e375d4622ac29b

                                                SHA256

                                                7c2082ffae489a73fd1154eb499ac3e91e76f55be2c2af301dee4d4f80d946db

                                                SHA512

                                                09307e9a699c8eb6328476f28f3bc90e117c81b656915529073d5e2efeda83800e1f412b3663c597e7ded5e3cfa6e9a6aebd3610112d62f909579f2209379469

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                af1a85d09e41f6925d650afbdcfc49eb

                                                SHA1

                                                098d7d0880ae9759d0556ac4c7f1737651244aef

                                                SHA256

                                                0dc21d24e4af1d932a0d4d89637da89fc2149acac23743aaca10f5369133e01b

                                                SHA512

                                                eb4ef388d3cb3a1e5089cc1ce25fadaf8f9b30de1d1e5b87d4044e0de333ef7277f98f476a48469b6fa2efd2316a3c045b7941cc4da4a7d29e966876e8eb121f

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f1cf57fad184cd718622f5405cf75d54

                                                SHA1

                                                457d4b6ec9421a78530147146122bf12c6234f90

                                                SHA256

                                                cb0f53155f75fad7365ff7b7cdaf7c2f1c39b901108661919b6e139dbe35db5f

                                                SHA512

                                                825874c7b0bb48bbe7bbac69c8a45cf12cb3fd3aa06d9bc2261b211004712b44e03261034e7ff0c4b1acb6b6190fa0df63a8a32604496361b4be82a837d56f7f

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                24da8cf31bfcf8953aa4f7e6a50a12fb

                                                SHA1

                                                b6bdfbd46e6e2f2d9c180ac96c0f0d81f5419cb3

                                                SHA256

                                                c84d71b68d2acc6ec84ddd2ed0b85b5aed6239a853475fef6f0bb7ee77add4ed

                                                SHA512

                                                3614f418684cc458b476de884a8e292ddbc3734f8f0fee7ab334d7b22393bde12927b6a5292334aee36490de9ca6daeadced5f81b3b29426530422f1aa86c3ae

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                7b3abaf2397277ba275462512db616d9

                                                SHA1

                                                cdac5777b9f92a568b21f727988aeacc0523ecfc

                                                SHA256

                                                d2231e85e068fe0e7400830fa0bd701ef6a9b8c91cc2fe8aea373f6822a7da7d

                                                SHA512

                                                bad86a486c3e92ee6b0c19e4a0044728188be0b02cca49cb904b1b9cd531e27c10c8c830e9b01dc38bbec75608b6a7bcd455212971d0ff2b96a3dab0e76701d6

                                              • C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

                                                Filesize

                                                195B

                                                MD5

                                                e21795607c71ee3e6fab67c749b5caac

                                                SHA1

                                                73050344eb1ff312c10fed8d19067d60e5c933dd

                                                SHA256

                                                bd84143a74db844027206e196d9471e07de34cfb23c34a175c8eacd28d294d44

                                                SHA512

                                                7922dc0720d6ce8c9b8d92987c7ef4616705f0e4ba94aab40f08f1f4692b0b5f97e9747e855dc1d33e837e3db8310fb1088d4c452baf82b64a2d0475ca95ae62

                                              • C:\Users\Admin\AppData\Local\Temp\Cab31E.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

                                                Filesize

                                                195B

                                                MD5

                                                e63a8eebe3f178d24741315786921c06

                                                SHA1

                                                a204ad10dd849a3554145ef8d6420b8d3c4f9e3f

                                                SHA256

                                                5b6f494bd15290ace9db045823c0cc6a0a69a51e521c21992646ba42fcf397b5

                                                SHA512

                                                6f8b552cbce81718a52fd95f8b23f8ea8da5f13d6fdf4e5e7ce82243cb3f85b3c3d60f9244d4b0f5fe55fa6bde0fd02216b17f05520222f7b1d7e73b98c40b8b

                                              • C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

                                                Filesize

                                                195B

                                                MD5

                                                0a86ce1fa8e746ebc0442f78d881a19d

                                                SHA1

                                                9d86866c62c1d45f5addb9e66f70b5af452b9805

                                                SHA256

                                                55e35a699f02bb90f37ca8f14aa301cbd61b7e2d551eb016a957991e980d9a34

                                                SHA512

                                                3a4ee4c3f83e852268fb0c256fd5bbed51cb8a7be59b3187f0bcc1748f4535b7791d1b0dc38213f3c4d892391f24271b8345c14cffa9682cbfdee72abcd8635c

                                              • C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

                                                Filesize

                                                195B

                                                MD5

                                                355ef4445044557241ea5be6ed26600c

                                                SHA1

                                                1e5e249d262d43494ceeeb48ed83e9d9cb41cf50

                                                SHA256

                                                82f893782d9c8ccea9a882bdbe6d0548d25da333a52659c444d4de25a4429fd7

                                                SHA512

                                                ef9c01766f4c9859404d1cd27eac2020b3043b8be279a907d7ebd44084354e168cb7044fed414b4f6de0f12db41505ef0ce283762da16d72855b56d7ba805b61

                                              • C:\Users\Admin\AppData\Local\Temp\Tar331.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

                                                Filesize

                                                195B

                                                MD5

                                                d6ff321239518688a948a75d4cb731a1

                                                SHA1

                                                87a9fb93398669c82e20af16689a4d95d69d5dd5

                                                SHA256

                                                7fbe67782bdc55c660685696b159f627447089fdf224a4b10b5e9b02e5867b41

                                                SHA512

                                                a38bfe9e2b2d4c29ab93ad52e50f71c514d9b42cf63223a0a2755521d21f390a7b97da70d583f993966c7c901f3c26d12da8e87b1b194486293c56bb3835e871

                                              • C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

                                                Filesize

                                                195B

                                                MD5

                                                71ac6e9f0c0b49b58506570adce631b4

                                                SHA1

                                                0267d302aa7d18b8664ac8d5e7b8ed17ebf57fe2

                                                SHA256

                                                051051b902a1be0aa3c9c13b2a2e517c03ad7e6e396ea4d1a1b0cee22edba369

                                                SHA512

                                                236ec3bc14e984334cf7f393b4722b610db87a2f20865bef1981d61c7fc23c9a319c8ec2a95c61e64733c00f251369f863f260b8b29fec190ef34b90c969864c

                                              • C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

                                                Filesize

                                                195B

                                                MD5

                                                7072b719f56d223b58d3b6acb824f9e1

                                                SHA1

                                                7215f58036cb5e6841719132f13522617a1a5aeb

                                                SHA256

                                                f46a65229f5952c1eb2ee92f24f6c807776dc1e1c43190887682fcd85d829c5d

                                                SHA512

                                                a61ad8a4d7e9fa9d8c694d98d30b016969f90d6c5b9c4baa7c4498ac83ee575a5696f3418008b831ce9a24301be8c72098a9c86fc9b1e6f5b7adc2bbb93a98c3

                                              • C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

                                                Filesize

                                                195B

                                                MD5

                                                e8a79ac06daa66921fd93f823507163e

                                                SHA1

                                                35cf0d2f785d414677d986e6121c0c3f753013e9

                                                SHA256

                                                355bb01b2144422084671255a295f87421ea196da992758d3df50d533346cff7

                                                SHA512

                                                b2ffa77014dc8a9f284fbd93c199d9ddcc7bb179827fb284e18d565dba35e250688b6d2dd559b6179e74a229d877968880f50cf31ee4b4f648caa9b22ddaab80

                                              • C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

                                                Filesize

                                                195B

                                                MD5

                                                3d6bcbbc8f23afc7358c57c5ccd5e2a6

                                                SHA1

                                                c7445c2058be82daede403d2aa617ff18bf7b656

                                                SHA256

                                                22e6e457767a92aca1b128ee3846a69c7f8faae2f5bd18a9f325149bcfb18d16

                                                SHA512

                                                0b2795720061bdca2fb5988276e883bab69420b7dee4b1c4e8b40e4ec9441158d4c6d07a6978f44fe2273791de7db9e8f4b5bb062e46ded6d77a5bb89e80bf8b

                                              • C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

                                                Filesize

                                                195B

                                                MD5

                                                20a82613cc4183e1c5d6e05ae9d4061f

                                                SHA1

                                                abbfec9548602d113a2f805b68f55f43dec738eb

                                                SHA256

                                                e00dcf16168af8a8575d1857b0296d2d970e5021356e167395d36a82d4219c2f

                                                SHA512

                                                c937a8cb00099d33a97e50370ebb8a5a97a521494aafd9b6b3cb29cb0036361c8c44bcd137ca0853492a1f6eaf832ee47014df07fa534945c4b3fb638de3a8a2

                                              • C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

                                                Filesize

                                                195B

                                                MD5

                                                37a92251c9c8874bdbab641a3683d367

                                                SHA1

                                                98212d87fe75f41ac16951ce5d259275b6d7a0bf

                                                SHA256

                                                9183176c40e1561c404fd121333f186e95df761f8c2da3454603bbb556fd5ff7

                                                SHA512

                                                eb7692efa22b81036a31ba86b42188bb3852e63204cafa27d12fd121dbff711606631f85dd26f058b70c9a6c026af2e605ec83b2b3fe4ba8fdd5ec764286e509

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                ce5894560dbf027ad75601a7551f9025

                                                SHA1

                                                ec1cd8b6757256eee0dc30eeacd759ce6168547b

                                                SHA256

                                                6ec555c5ee9896e7e5ab1f587ae6ca904a163c6aaf425ebc0fba76063ac9500a

                                                SHA512

                                                793a1ac5b766e321bf41ccfded8f25281070b2c3f5bc20d8b5314f24b1a3f27df89a5597fc88ef2d93760095160b455182a641e04540d264f7b43b0abfcae268

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/388-272-0x0000000000B80000-0x0000000000C90000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/892-68-0x0000000000910000-0x0000000000A20000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/892-79-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/908-393-0x0000000000250000-0x0000000000262000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/908-392-0x0000000000260000-0x0000000000370000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1144-332-0x00000000011A0000-0x00000000012B0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1180-750-0x0000000000440000-0x0000000000452000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1592-453-0x0000000001270000-0x0000000001380000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2340-64-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2340-66-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2472-211-0x0000000000180000-0x0000000000290000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2472-212-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2964-690-0x00000000012C0000-0x00000000013D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/3060-17-0x00000000004A0000-0x00000000004AC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3060-16-0x0000000000480000-0x000000000048C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3060-15-0x0000000000490000-0x000000000049C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3060-14-0x0000000000360000-0x0000000000372000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/3060-13-0x0000000000370000-0x0000000000480000-memory.dmp

                                                Filesize

                                                1.1MB