Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 05:11

General

  • Target

    JaffaCakes118_58c7535a75c46d05bf0ebbd49ccc60db99801374948bb047b27de968fffa1635.exe

  • Size

    1.3MB

  • MD5

    80594aecb7761ad7012652e62d66fa2c

  • SHA1

    5d455530fcb1b5072dc1250bea98e6aa0bf2c38a

  • SHA256

    58c7535a75c46d05bf0ebbd49ccc60db99801374948bb047b27de968fffa1635

  • SHA512

    5c03bf70140ba89645346a5082c3f6a8378c794501ba21db4d850bd604123d28ca9079edc69d8e5dc71a43dd8186b701fc11149ea70e08190e7b80fd024f69df

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 63 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58c7535a75c46d05bf0ebbd49ccc60db99801374948bb047b27de968fffa1635.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58c7535a75c46d05bf0ebbd49ccc60db99801374948bb047b27de968fffa1635.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjLuxY44un.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2148
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:720
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2108
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2384
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1628
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2860
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\ja-JP\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:588
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2128
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2032
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2504
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:840
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\WCN\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1876
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1352
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2016
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1624
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2404
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\OSPPSVC.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:792
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2084
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1684
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1100
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fOX4HfKdkR.bat"
                  7⤵
                    PID:1004
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:572
                      • C:\providercommon\System.exe
                        "C:\providercommon\System.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2792
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
                          9⤵
                            PID:1352
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1832
                              • C:\providercommon\System.exe
                                "C:\providercommon\System.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2016
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
                                  11⤵
                                    PID:1032
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:980
                                      • C:\providercommon\System.exe
                                        "C:\providercommon\System.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2996
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
                                          13⤵
                                            PID:3000
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2364
                                              • C:\providercommon\System.exe
                                                "C:\providercommon\System.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2964
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
                                                  15⤵
                                                    PID:2268
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2792
                                                      • C:\providercommon\System.exe
                                                        "C:\providercommon\System.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1832
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
                                                          17⤵
                                                            PID:1148
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2016
                                                              • C:\providercommon\System.exe
                                                                "C:\providercommon\System.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3048
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
                                                                  19⤵
                                                                    PID:2612
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:720
                                                                      • C:\providercommon\System.exe
                                                                        "C:\providercommon\System.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1808
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
                                                                          21⤵
                                                                            PID:1536
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1044
                                                                              • C:\providercommon\System.exe
                                                                                "C:\providercommon\System.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2248
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
                                                                                  23⤵
                                                                                    PID:2692
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:1564
                                                                                      • C:\providercommon\System.exe
                                                                                        "C:\providercommon\System.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:592
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
                                                                                          25⤵
                                                                                            PID:2564
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:1836
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2836
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2500
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:644
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2744
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1652
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1528
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:320
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1832
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:880
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2484
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:456
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1172
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1436
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2296
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2388
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:804
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2576
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2396
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3036
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3012
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\WCN\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2472
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1920
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\WCN\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2840
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1392
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:784
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2820
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2832
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2432
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1828
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2220
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2196
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1712
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1880
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2132
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2768
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2372
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2212
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1716

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    f2b48b05f7268248f71ae86cdd245858

                                                    SHA1

                                                    15d24e17822708d961f36132645100dbca3ecb81

                                                    SHA256

                                                    cf4c2d7ce9045869a609e3d36e12a88dc53cce290bbbe8dd37db9ea61ff9cedf

                                                    SHA512

                                                    6400ee9e7ebba67c7cf34ae3c632dc7907b7622bd83436c19c55e1f89b8bf9bfcd44362c4bd558aac413c70c68716488cd89c519ce6dd2be3371744a6bd7ebc6

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    fa608d1d9a2ad5849a4159d57dfd0444

                                                    SHA1

                                                    4992350a2f370e8cece73bed1bb59bed34a506f8

                                                    SHA256

                                                    dae6015a91adbd6a09c169ab88a4a31285c467ef8ee8d3fb188b25271d6bfd83

                                                    SHA512

                                                    8188e0d379b242adbd75fc17167b8465f4f157f3f240c2d207a8935231574914ab1e4a3928d5bdc47786babf52482d4a0f5893c7120445382194749084999536

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    cf4e352e562dde0f3b913c17f245d910

                                                    SHA1

                                                    ccb95c6ead47e780a50a3e332d5a82f288eb0c62

                                                    SHA256

                                                    6ba4b18222e4c12c8c79c9e126e86b61e1c9b0d07a5600bafed906ee3453ded4

                                                    SHA512

                                                    816c381a2fe974455b3c609bd97c0559e6783ba570d962425de4da66af4579c8d3d3e009907b38bae284473c27f8ae62689081cb8f42782a36572ad49cbbe71d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    04354c596fd7f8823c5f8a0e0fa3842d

                                                    SHA1

                                                    1ae6ee262425e1991ab3d70c4697d3369be55fd9

                                                    SHA256

                                                    57b92cbafbd19c21a1df76422cde576edfa5ea8cf54b19cccb1827e0b2fe64e1

                                                    SHA512

                                                    20ccc85b528aa54532fcef1d834ef84df007b3e6cf6f9472cb92311296cc79fbb5a03cdbea5e030ecffa7510c8ce6864f8e949f622c340c778645e62ac8766a0

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    a9abf6f487844c165f7465deb398be6a

                                                    SHA1

                                                    b589b08b25f4a2a29bf8fc93166d1141103a895a

                                                    SHA256

                                                    e193d01fb31a1a0c437261b7bd57c70110dd5cb38b706ac54ecb027e6cbe3479

                                                    SHA512

                                                    808eb43e18f844160520867a097bf7364b26247f35b90ac07f5ff9f62f7b349baedc9867a0af020926bb3e42766d991aa31ee0e6a4bd114bc7fef003dfeff64b

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    3663843388d313601a59b45c53be4e30

                                                    SHA1

                                                    a96b263317f3e92a742c82080396fbe81360b51e

                                                    SHA256

                                                    b0ee4867d41bf0cf7e5343adc732b7b9d58401fc55a684e7ea2e5f357c9a1f8d

                                                    SHA512

                                                    272a71e3bf35ad25b7b6f0f78324c36179d69063ae0dde9f62e720c6dc8ccd53c73e1bca4c42244e72e389dad57a02ae18a44c0c6b9507be97a601abff62fc60

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    b64ecbc7cebd5346c3f7b1f157ecba5a

                                                    SHA1

                                                    fad4714547f723199eeac30cedb6921f30143158

                                                    SHA256

                                                    39720249df679258541f800f8ce40f0abe73b40557249d8e426c830a1876600b

                                                    SHA512

                                                    5e565eaff213c22f11827ca7ce41e2cd1bf32da82b2b8b8a60d78176d42522fb418a9b1933bdf6a3e184929b455c2546dda64b0599a7f1e4cf8e6c5aa4331982

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    9bfd96bb2e4a95c10c9d6b167cf7e00e

                                                    SHA1

                                                    c881c3b11b1c61d9a81bf01a958ee2daf21b7ff9

                                                    SHA256

                                                    efa8646f38b6b3d6fa18d63d053bb2a6d5b3e66730c6c593ad157415af40c4bd

                                                    SHA512

                                                    6de8c1e14982d0605bc2850015c71a29d5fe5c94c265194cb798dbd71459067f5415cdeb86caa8190eaff8f329be706b748d3b260914331df46307e122638f3c

                                                  • C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    cbfabde0023ae738e058c4367532f0ba

                                                    SHA1

                                                    34c8ac9a94fe4197d9a393cbdaf067e398d6deef

                                                    SHA256

                                                    f8a10802a1df47a87aa163f05978124fa663c21b1c7919a25dd4191545b2d39e

                                                    SHA512

                                                    1c365f74fac2f1f2ce01b3c51b52fc67f4a6c9331ebd092918278551941ef5095d9c3b18ec67b9eaac001b85fd69cec7bd568cf484f1e436293e502d80155295

                                                  • C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    f98bfd0f3702eb5b3093bf9ee7340b67

                                                    SHA1

                                                    82d1795bd5daada392fabfc25162172d7dd0bd4e

                                                    SHA256

                                                    3ab2dc55ed1c97e2bec9f8439e8664bfdd4ab17f59f8df19278681beaa3656cb

                                                    SHA512

                                                    503ab0ec36ce9fc9b41d23105823c17d750acf4c90925f7e3c640f770299c9a1f2d9dc22769e33494b72b5ee1917aed5ec73c7ac5ed2f82f375d271606c8b79a

                                                  • C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    d25ba9197d61ad82a194aba4740e0a18

                                                    SHA1

                                                    9a968c427defc03d64d140a2a76539767f9ef41b

                                                    SHA256

                                                    4ce5696eac1ad0289f8cbf75d1b523d93bd6330eb0f8df4c89b5f4b65600d983

                                                    SHA512

                                                    240ad775b5469db97efe607278fadc8e86a8f8fcc4db50802f96625814f6cfd51126cd6d6f1988c967090cb1f00c9c6907c42397406d828677cf6045dbee7b9e

                                                  • C:\Users\Admin\AppData\Local\Temp\Cab15C4.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    3142b26fa48e4467bb5d5f0f888c0d1a

                                                    SHA1

                                                    b756652c1c3f16ded4b5111b5c94128dcb1f0468

                                                    SHA256

                                                    4ce6cff175633d136b0523fae5c4510a4bb4774342c4e902841458ed558ff022

                                                    SHA512

                                                    cf4a519703c552d207b173f66ed533a2c31e822a47b6130647ec24827084615e1b555e902d981a9f98ba24bd8923e5eb19fe751743020e76cebc872b629897d8

                                                  • C:\Users\Admin\AppData\Local\Temp\Tar1653.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    18bf7e61f5cab1ee806cb1035bdc9241

                                                    SHA1

                                                    05fcd35214fe2095b6529d9e29b9ad0328b6d248

                                                    SHA256

                                                    2f35d2824ee32e45b2dffd5cf482b5aafb21eb13423e752482d9b55dc0e6a3c7

                                                    SHA512

                                                    c4a387747e0b44252ccfd1fb97c481288b370f9b521f0ce037433010a0002b1c523b548fbde711435a0d730c130f875ec6893b937424ffe9b497301151f3b476

                                                  • C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    28b6fb3d920cef1b259c829b394c3e2c

                                                    SHA1

                                                    20587d91ff60036cf8d724f05ec81f9c6e101f52

                                                    SHA256

                                                    5b0f35d498e948b1ff9b1918f3709503430951cb1502b097a5127dddfc31b6fc

                                                    SHA512

                                                    7788406ae09cff5c6ad37743e03013d35dd2157ec7760266ff1567bb3ebd7947277e544ca2e6a9bca162a873e93334d24af40ab2e15fee69072e96a1daa63078

                                                  • C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    9da5374f00633f122594f9c0f7684f43

                                                    SHA1

                                                    f2b480d919af537cc4848ed1fea6177f900df6ce

                                                    SHA256

                                                    a45a94165f44b579bbb45a0f6225e654b0e2b7f93418bf34ac89a2b034700401

                                                    SHA512

                                                    108c794905a17ad7aff7ec628f2ce10336fdaf00b04d9caaa5203a5bc7c0c238dcc164ebcef687dc491f95280fe978f8fe92c66584c09432183e6c11b4fccb24

                                                  • C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    d9299cfdf0002ce805ee8d08b56f93ae

                                                    SHA1

                                                    fdcc28e6e73b7bc7c790acfced5f05e9b49142d5

                                                    SHA256

                                                    84127fc36b7434fd76695b9ed0ee335e47e299f35c90925a02fdd1d1d06dcd84

                                                    SHA512

                                                    a9877a3dbae5f24e65a99a69eb20614acd7470aa5dd7a3ae4aa87467237cedc7407424e323721fe0bb3c2d50e61e1b4b1b7df3396088da257b25586b9ebd5f1e

                                                  • C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    79529c4373c9e08da2cd747f3d407392

                                                    SHA1

                                                    9153724e7abf289b17891e4160247f01138af8e6

                                                    SHA256

                                                    48b59b5352254ffe64af47f41712e50341008957b2ddd0c2ccef7bc3981860a4

                                                    SHA512

                                                    432105efe8606189d324b5e16f6302e10329621ad1e001ea3ece46a87105e42e90e9ac0e9b34fe1fbfd18166691d36c76d6b240fe8c5fd2ff21379c3d02e2e07

                                                  • C:\Users\Admin\AppData\Local\Temp\fOX4HfKdkR.bat

                                                    Filesize

                                                    193B

                                                    MD5

                                                    b9f307b784f762e37c9bc138144050f2

                                                    SHA1

                                                    00ea9be45f4d071a3129960cb781c1bbb0cdfecf

                                                    SHA256

                                                    ba53e6c0f2c4498b13a3d5e47ab25d1aecd687d8e714fb14fb366267c80e4863

                                                    SHA512

                                                    ead8790bb81c7e394ed35a53a6fd254b7620356d047ee36f6c8379aa9679e18e7678db3c15c1721dd4e9c0eebf664289129123219043d7af56ed9dfd98b76e56

                                                  • C:\Users\Admin\AppData\Local\Temp\rjLuxY44un.bat

                                                    Filesize

                                                    199B

                                                    MD5

                                                    0fa0479de9acc566d5a600113bf59aa2

                                                    SHA1

                                                    5f3811f8f8e8b324eb6fa9856efe736a3e96c8b1

                                                    SHA256

                                                    f311bb2043e00e4dc8591536fa8dc598c9fe52536d3f8a252974a11a2388a6ca

                                                    SHA512

                                                    a2cfeaac5f29b35b472f2ed7d96af99191fc419780c8fcab0cf26f53f19125cc3dee71f63e7cfdcaeabc4740619f387c9c52d980a2709931ef8c14500f47413e

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    915fe7de99138a03903a22690c39fb44

                                                    SHA1

                                                    38f6bb4b97255eedfaa58caebbf205b07aa911aa

                                                    SHA256

                                                    e551535a33a537e2ac486424d4f5e9f7a5880ea99e280dbca92fb8fd01e7dfa7

                                                    SHA512

                                                    0b8ca5d1a49220ebf9173ffb814a707a9689b36cbf743fe513f048d3767db86d5e4f9858b5cbb6d9cf3e4f8dd4dabb03aa1c57d407d2cd29204b8eb607ffe0d7

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/592-669-0x00000000002E0000-0x00000000003F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/592-670-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1352-117-0x00000000022A0000-0x00000000022A8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/1352-115-0x000000001B180000-0x000000001B462000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/1808-550-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1808-549-0x0000000001220000-0x0000000001330000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1832-429-0x0000000001260000-0x0000000001370000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1984-49-0x000000001B410000-0x000000001B6F2000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/1984-50-0x0000000001F90000-0x0000000001F98000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2792-191-0x0000000000B60000-0x0000000000C70000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2964-369-0x0000000001030000-0x0000000001140000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2996-309-0x0000000000370000-0x0000000000480000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3020-17-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/3020-16-0x00000000009A0000-0x00000000009AC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/3020-15-0x0000000000990000-0x000000000099C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/3020-14-0x0000000000980000-0x0000000000992000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/3020-13-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3048-489-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                                    Filesize

                                                    1.1MB