Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 05:18

General

  • Target

    JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe

  • Size

    1.3MB

  • MD5

    a1356bfafb7d4168bd2dbf99517c07e8

  • SHA1

    5ad7150d7c05364e7c4fbef2573f74d47e98cecb

  • SHA256

    40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe

  • SHA512

    3a911949f87eeecc6e03ea9b075278047ce38f6a8c5ce0eedd3d262a41e285335d1ba38bb0e0f12b8bca224a9ff77bc7cd861801f70a16f7481df0916738b190

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAIdwWqxW.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2348
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2536
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2968
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:280
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2044
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1216
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1772
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:848
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2604
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1032
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2512
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1248
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2228
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2212
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1016
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1684
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:976
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2200
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:284
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2088
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:788
                • C:\providercommon\WmiPrvSE.exe
                  "C:\providercommon\WmiPrvSE.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2252
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
                    8⤵
                      PID:1716
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:1748
                        • C:\providercommon\WmiPrvSE.exe
                          "C:\providercommon\WmiPrvSE.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1900
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
                            10⤵
                              PID:3000
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1428
                                • C:\providercommon\WmiPrvSE.exe
                                  "C:\providercommon\WmiPrvSE.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2752
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
                                    12⤵
                                      PID:2544
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:284
                                        • C:\providercommon\WmiPrvSE.exe
                                          "C:\providercommon\WmiPrvSE.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2584
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
                                            14⤵
                                              PID:2580
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2252
                                                • C:\providercommon\WmiPrvSE.exe
                                                  "C:\providercommon\WmiPrvSE.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2336
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
                                                    16⤵
                                                      PID:692
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:1872
                                                        • C:\providercommon\WmiPrvSE.exe
                                                          "C:\providercommon\WmiPrvSE.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1036
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
                                                            18⤵
                                                              PID:2272
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1296
                                                                • C:\providercommon\WmiPrvSE.exe
                                                                  "C:\providercommon\WmiPrvSE.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1772
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
                                                                    20⤵
                                                                      PID:1644
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2600
                                                                        • C:\providercommon\WmiPrvSE.exe
                                                                          "C:\providercommon\WmiPrvSE.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2584
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
                                                                            22⤵
                                                                              PID:2612
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1168
                                                                                • C:\providercommon\WmiPrvSE.exe
                                                                                  "C:\providercommon\WmiPrvSE.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1660
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                                                                                    24⤵
                                                                                      PID:2304
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2180
                                                                                        • C:\providercommon\WmiPrvSE.exe
                                                                                          "C:\providercommon\WmiPrvSE.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2768
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2684
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2672
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3008
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1248
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1444
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:924
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1012
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2424
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:1584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2148
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2716
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2712
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2564
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1496
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1176
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2236
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2104
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2300
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2924
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1796
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2672
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2760
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2940
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2304
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2492
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:904
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2856
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1376
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2616
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2572
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3068
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:296

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d2af5c8d645ec1ec530aa32c3bdd99e4

                                          SHA1

                                          f87030147fd61dacbc1232d4fea44e43e9404b2e

                                          SHA256

                                          92d06c25280e242853238b85e74b21e256238a5ec7af19ebbdee02e436d12264

                                          SHA512

                                          ade2177964fa0ed46297c2329fb39e235f2c43531742e4656274f23415fe29ee305a28535b61a444888f3fdd84afe41e11c2b730c718cadb75d3ecdf3e3343be

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          955ba6179ef3bcb4c556590f206e30cb

                                          SHA1

                                          afb0e82f66c11efe9d94345b00bf8e099986360a

                                          SHA256

                                          c6e1af626870a99341e358e76cfdcc33d1889385aedf7347d50e9e5612e9960a

                                          SHA512

                                          af8f4427c7fbdf33f3e3835129e37bb0e680767a9ecc885c86fa4c5f7fbcc0e598c75ea9c6dfe936a21c648d207b565e5283478cb65a77fa84a11127bd2bfe05

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          10f7efed605a4cb7b86a8254de37c7d3

                                          SHA1

                                          d63a06f623e36d3eaf20c19018ca835eac70b4ea

                                          SHA256

                                          ae66234d01411cab348213c1e69c3dfb44f2f5dee458b03e48a8a6303feb62a9

                                          SHA512

                                          16b53066e7c7a21be2db9eb4fa84b321044348493614dc1e20cea68a2f2ee224643544595fa3afe6720562a7180f80168af8d4c899d6bc08ec64007d599da4a4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          391dadfc79c7241cda2774d354f56738

                                          SHA1

                                          7df3ada5be6584aed88f141022101db0b41c8180

                                          SHA256

                                          8ef215b1f801e6e1e089496f77bf31224134cdca8d40ebd72f4e7f42d5ac9410

                                          SHA512

                                          37728baefe4bf76a4c94d173e4c70f1224e536c424ac201a0b14ced79ce44e7f08d45593eaf768b07932f7f51b1fd1bce156a2cdc45eb4b07788d6c4bada8470

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e8fa4f84b80650f35263c594676a0cec

                                          SHA1

                                          f708619166c73051485a641fcde7fc8de64a4496

                                          SHA256

                                          47ea3213d71f3f79115cb3e7b091d7ae379c60c0f1d5f28a0ff9eb52ee8ef285

                                          SHA512

                                          41099071a17d3c83e48d8fac816097a34808c0a891b8273bdcfe2348274fbd5292d92dc1294e9bd1bab4ec9d82686225c36e5aa95e8f72e6b06f08f9be2aa147

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2e8d8be83163eab426da77e344f97f97

                                          SHA1

                                          ecd240f0c8d7499f0e2ec194f8004c133978aeb7

                                          SHA256

                                          8abe38d656b34d0316fe9a479f1ffc99d37966786e9fb0a985c75c1957827b47

                                          SHA512

                                          b4f28edcd63500b1bff653f7fb24bd92a9b53a421402d167e58f9e231f8fcdfd407cd5427dad693a165adc57b89689fcced8358cc9496cc07f8b5281c1aaab93

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6adfaa0bef269fc5d6900fd25458e7e0

                                          SHA1

                                          892e19af2fcc61d722422a0049e3e1939351bbe7

                                          SHA256

                                          2bb174cf137745488959225ec64134abee6d6bb039650cb25fdaea3c37a83223

                                          SHA512

                                          20692359457d15b6fbba0534792277ce54b4a530c25adc486a20c1af31d1d5d0b6e468d46414fe9d99297935f84cc781ffbe9b24a3fac7cb1b20ffa1385132d3

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c898bab6fc92403c3270532f3be9a41b

                                          SHA1

                                          b696e8169ffe7bdf5df0be2d056e6fefe2336bab

                                          SHA256

                                          8bb53be4a4de13f1c94515ebf9d47ae692ffaa3400ae4ce29038c62e710bcb50

                                          SHA512

                                          ce925a499a13eba1fea064508a61eabcc8cea2d2490b95366e4c5e87f067a28e0c192e72c37e9e7b5333e984dc4026c5ad37fd689df835496288feb51030f118

                                        • C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

                                          Filesize

                                          195B

                                          MD5

                                          f6e4798961c4c4cfac798519a74ff4e9

                                          SHA1

                                          1aa87903f9f2c8100da2597a39e2d2796ae513d1

                                          SHA256

                                          b1940486722a2b260686f2d56f69b04aadc72fb757136e5f681b83d821d3ac1f

                                          SHA512

                                          913699a6945bd098c0446bd896493b6ad7695813a20453e1e92d6c6f1ea87e95690cddbc4e24601e5f4b5bf82fff22fe6dc59c501730ccabf77ca6fab3ce1c6f

                                        • C:\Users\Admin\AppData\Local\Temp\9IAIdwWqxW.bat

                                          Filesize

                                          199B

                                          MD5

                                          4bd52ee1a9b6e179f3721224dd318ae6

                                          SHA1

                                          2678b898a668eb608f712aecfd719a89c001aa27

                                          SHA256

                                          e92e1944fcdc4e15eec4b0742096268ff0da5dfd31f6ef1110e5dfb5478b78db

                                          SHA512

                                          bb146a63ff240421ebe87d269b08a4b4ea36414d1740103c46a7865c0fd763f6411f6a8c50251bccdb35f4678fa20c845e5d3aef1da164bb8ae76de349dcb249

                                        • C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

                                          Filesize

                                          195B

                                          MD5

                                          7035ad587bf56a7b5a585824035d4d62

                                          SHA1

                                          364c7224c8644532f7ccad39f9f6fd03aec566d9

                                          SHA256

                                          990e66e7fad7c9b6dddbb5542d788e4fe86216d8cd67ace8966c868e63e59726

                                          SHA512

                                          6c3e8a7df325d692f8b4fe31da3fd91f4b9a99d66a68c1026df47cb50ac73b799c0c13cbff19c860ec44201c2744f6d6f4db9267daf0671676802fcc5b5bb2d4

                                        • C:\Users\Admin\AppData\Local\Temp\Cab4C10.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\Tar4C32.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

                                          Filesize

                                          195B

                                          MD5

                                          4c6a3f5ca52ca78fa211d31cd3507bbd

                                          SHA1

                                          6ad4add55c671621bd1fcabf0584122fc75baf12

                                          SHA256

                                          993182075f48d6e490cdf20fd8e1a578c466dd933d404a811d53d9ab88cd5c13

                                          SHA512

                                          164576e7aeacc9e7ae60849742b2571ec9b52f94028933f91212f2a934b2aa848c6423185b4d723095e9387b4e1cc333864962598fe87fc67fcbcbe094088586

                                        • C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

                                          Filesize

                                          195B

                                          MD5

                                          1634ae37a5e337cc2272078abcb93c3e

                                          SHA1

                                          ac6fce66b34166c84d4cbf854998852a6b7dd2d0

                                          SHA256

                                          89c899f5e6e67b4f5aa05bba86161dcbe28b79f6924cac2d71db312c6576a8a2

                                          SHA512

                                          d6726626d54063eb193222086e60d7bc8a4e8ea516456d763d8ad4a98c9e7a27461b93542c7a8cbb4cfd051d3b01650a4e7659c2b8adac897d0900776ed6e067

                                        • C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

                                          Filesize

                                          195B

                                          MD5

                                          5cecc6b31ebc4e11f0f0c6c702a3c55b

                                          SHA1

                                          601a4f8a471f344bc367b6acddd03d6bc2a56381

                                          SHA256

                                          f5aa8878a53de656d090bc8515a902f6b7d9cb019b88b297dba92ccd7bd30295

                                          SHA512

                                          9e9f756eada5d55e8defa2eb72938ac2cb3f8634150db87e877ac323a93a69117c8cfbb383a553e22c96925e77ba460dc754ff38ed1485a860a41bebd3ad6eab

                                        • C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

                                          Filesize

                                          195B

                                          MD5

                                          cf9bbcdfc8f8e2daf7d50803929d1fe2

                                          SHA1

                                          ef659edcdfa98eece64c47166452c75d9ae037aa

                                          SHA256

                                          e25da996a525a2d0233aca896f726d1ce66cb991e8e473151e395e98ade86b8c

                                          SHA512

                                          ef415e8e6fa6bfbae9a31354fa0a296768f71c43ccf1773778409d96998b49240af4f050e3ca14c34d8cc15df18dcd47dfb1a9e791ea066f2ed3fd06bc477886

                                        • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                          Filesize

                                          195B

                                          MD5

                                          d7637213303e620529a519a85405ae5f

                                          SHA1

                                          7a22ae4f866a13a471e60cc1d59fe7fe0024fd89

                                          SHA256

                                          31e4b578e72c0a001b17c615bbf5e2d6f2f756980cb2ad33aac6ea0e6503c088

                                          SHA512

                                          dbab67c63bf43a3896c4d30c690395a5683cf436785593ab0c07dfbd675182edd597ade5cfa768f7bbd2fd471b5e3fdd129625d2e01f02040cca0b820c54e9bd

                                        • C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

                                          Filesize

                                          195B

                                          MD5

                                          9fd65186a5e48973adc9bf97fc7db84f

                                          SHA1

                                          8f66bf902671070ad2959f80d917d38d2b9a7562

                                          SHA256

                                          610901addfa7e58ccb2a32dfc51689f071a9925539283b70e4070947eda4fc30

                                          SHA512

                                          bbbb7b2d60a9f4d25a63e921f5769a2a2f6a48a06683837db3c46cc003967a7351afd8ac1bf5158b8952bfb5d3c9151a202b90276316bae378bbe96659adcefd

                                        • C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

                                          Filesize

                                          195B

                                          MD5

                                          3adca9f52a67cc79907c5d8c3173a4b6

                                          SHA1

                                          a1e42b90ed1f1d7042048f122748ae8a7b36770f

                                          SHA256

                                          15f90d94ed5500c1c768db38487b23b81bcd3ceddd030ca2138b72ab1bf7c403

                                          SHA512

                                          b0966edd57a38b84f5e7f7bb6083428e598600b1dc370f710d753cf12f9f3f75cd15e24ed94ea6e7bf3f9cced61a6c89226adcc7ea737cd149dcce963b630583

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          3368afb4d8f2624f66004e74a59d5eb8

                                          SHA1

                                          06a539bedfeb2764eaabb468601637fdabccf5d2

                                          SHA256

                                          cee2418dd32e3088ce1422b3c19607242f35f69112eeb9f1da7ebb7bdd6ad21a

                                          SHA512

                                          20ff1e54afc16808397f14c6d5bf4d0133c68e7c534bf84f50d170239e3929d05d0200e90ce65e480e47f38e7ba713d0d7ae35f44673c1ef79ffab2416e125a6

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/1032-103-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1036-496-0x0000000001230000-0x0000000001340000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1660-675-0x0000000000080000-0x0000000000190000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1772-556-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1900-258-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2088-114-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2252-104-0x0000000000920000-0x0000000000A30000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2536-52-0x0000000000540000-0x0000000000552000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2536-51-0x0000000000180000-0x0000000000290000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2584-377-0x0000000001100000-0x0000000001210000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2768-735-0x0000000000A00000-0x0000000000B10000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2776-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2776-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2776-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2776-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2776-13-0x00000000010C0000-0x00000000011D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2972-42-0x000000001B820000-0x000000001BB02000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2972-48-0x0000000002770000-0x0000000002778000-memory.dmp

                                          Filesize

                                          32KB