Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:41

General

  • Target

    JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe

  • Size

    1.3MB

  • MD5

    f53dfacb6b320a39657fa0b75dfdcf0a

  • SHA1

    4e92bc0af0f3d647744fef41c7b2c73e404c384e

  • SHA256

    b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a

  • SHA512

    25a9aa92f83dec0f6ac71dba96027a20c82419a6d6da323582906b6803a5164b5529f3770936f91ff5b11d7b912c02d231d0e315af9d09fef12082907c7ab442

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1280
          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
            "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:900
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
              6⤵
                PID:3952
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:3992
                  • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4020
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
                      8⤵
                        PID:2616
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1816
                          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                            "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2340
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"
                              10⤵
                                PID:3012
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2988
                                  • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2832
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
                                      12⤵
                                        PID:2588
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2928
                                          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                            "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1500
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
                                              14⤵
                                                PID:1600
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:3524
                                                  • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                                    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3328
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
                                                      16⤵
                                                        PID:3940
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1120
                                                          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                                            "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3684
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
                                                              18⤵
                                                                PID:2772
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2880
                                                                  • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                                                    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4080
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
                                                                      20⤵
                                                                        PID:2024
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:2628
                                                                          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                                                            "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3292
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
                                                                              22⤵
                                                                                PID:2472
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2620
                                                                                  • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                                                                    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3504
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
                                                                                      24⤵
                                                                                        PID:2116
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:3168
                                                                                          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
                                                                                            "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3508
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"
                                                                                              26⤵
                                                                                                PID:3644
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:2468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2780
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1900
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2604
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2692
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2656
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2496
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2576
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\IME\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1744
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1572
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1120
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2512
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1876
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2516
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:280
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1396
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1860
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1708
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2188
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2072
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2956
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2200
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2532
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2228
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2340
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1728
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1592
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1984
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:608
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1484
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2924
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1908
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1716
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:932
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1660
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\My Documents\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1452
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1980
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:828
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:876
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2980
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2916
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2120
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1260
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1992
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2580
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2424
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2720
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2796
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2784

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      110b10df65688f838a71de1d433ff537

                                                      SHA1

                                                      9415b45c546cf3b88ff1ec1aebc9d2958845e451

                                                      SHA256

                                                      8bbeeb684915e6c2bd28b9df896db4bba9ae60a5bddd5c8a497c5edd4a0b157b

                                                      SHA512

                                                      3b3f04fe2fa9240a3dc0e22d7041c7c82e90c1813d336dacf680f46b01341a6e9e714092313f4fe0be9169a86bdfab145d4da31b3457e6114f091b1d88741e45

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      7143fb88a43f1405f11d6da35f3893e2

                                                      SHA1

                                                      86d7797de641f5e5d17722e28356e0668d087fd7

                                                      SHA256

                                                      26af1a6fb705beaccbe0f9cf259d46d1750acb025c275c8e10a1c7546fa1a9a3

                                                      SHA512

                                                      42f90ad714a9d4e6835f79d7e96feada5e21b6bac84cce04a4296b9a5fb4413b4d3d9fa1b9cda4c836e6344b571fc969791de20695ff541981643503ebf13a6b

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      78660cf59ac98ce3368bbc2642b7d05f

                                                      SHA1

                                                      d577a6fd31fc8c7ad22e1767d8b083874515a2af

                                                      SHA256

                                                      37d70f952dad26662c2adbac67c356a8fe3a7bfd59fd7ac49662f94484d8c84b

                                                      SHA512

                                                      6d7aef1a56ce96fba451a987a1b3104f706cd5be056c2b0b33cf7a8c7061853891428b4cc6dff6f13d11bf03e2e1b59af5f56d61d6db7b73fb51c77ff89f9fd2

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      14f7205e7cf63f69cedc6da70d833e7f

                                                      SHA1

                                                      0419c99f11dd9608630da603f097d3dfe30854d4

                                                      SHA256

                                                      9fd27d7101a2e1955ff44584ed05a542661c9e9075ed8493da1c1bc1e6616a18

                                                      SHA512

                                                      906c84316edb5b780dd83fbb2d05f919c3748cc23fb218d9562ae5dab8e555871a040e03cf0348c822c7a47140361f6076720c2d4159d24a115e3b97fda8aaef

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      47a34cd28acae3d22df5f48456ced877

                                                      SHA1

                                                      7de645d536863046a5cb08f0a3d5c368cb718717

                                                      SHA256

                                                      86c9d10be584ac7b3e81724be644e290bddf2d042177e581b9d8f455a0ac02df

                                                      SHA512

                                                      ddcde2433b5725046d189c5a9fff6f5b406c21666a52cafd9fb6727b32797b98baf1a4b2a1f120dd38e5f52e224f3f892628b9d805ac71665525cd39254f541d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      b84f2a37e0af3e5b5371f06b780e5cc1

                                                      SHA1

                                                      803d40709d0dc9aa10888e5f44e816e65c720629

                                                      SHA256

                                                      451076848876460f03303c002b26892cf275ec6c34b104daafdb2647e5c9c809

                                                      SHA512

                                                      7755b2129b3a7de4fc53c99173c5787caee5efc92e5bbda8d0fed706e16c454fc451d5e5c81fbf3f25ed066d9292a543fc84603d6b1bea0f2f0d1a541ed2baab

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      2920fa2b56e7a4ef6ad3ba1d9bc53d95

                                                      SHA1

                                                      644deb0bf129ba3b5eab09f8dd134e71a24c4978

                                                      SHA256

                                                      a0430248c16d93fb89febb0ddff21347edeedc1ce86234683fd0dac070a455e4

                                                      SHA512

                                                      3dd15d8bc3c383d033229ef75c93c57aa6f1f487e78bd3be7575df99f12b079eaf52c3f1356511a28330322893de3f29317ac289d3a60e17f841e117499ae97f

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      30a9b8695360b7e583509a3e57194c8e

                                                      SHA1

                                                      b3e321ce8a043dff3d91b6a62a429afffb7a39cd

                                                      SHA256

                                                      09b36fdc96601deea572b97fde1ac6312cc9a8be1bbe75b7eb3d05d497844afe

                                                      SHA512

                                                      471332268d7aee71d9c232e8b3f921641ce3b23c82b1794e7b47c8c8bc5d672cb05bff40d846a8a1cd0f4ede4f08a4322f2739d4613ff72bbf951d793a334b5d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      f48ff35aee254922b099c41377ecc5a8

                                                      SHA1

                                                      37be640c84a00e88bf465eb5d0855da9d88c84f9

                                                      SHA256

                                                      5ca2e09676f87db58a3c89d390a48c941c89ec6c9a788fada0ff9d40593a8044

                                                      SHA512

                                                      456badb59385d00d281d2a0655cec09f23ebf81aa4c6c27b8399d204407260bcce9f4bd646cb5ea34694561a5657bc17a9a8bb736b76497afb9db23781bcbc50

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      a764cd72e918149ec309b98980b9bcc2

                                                      SHA1

                                                      321f64a9943f6e8e75bb80222ab9ebaee4d724af

                                                      SHA256

                                                      c24ae739319dad8766dd9b3257a332cef6e31153526c732aad1486ff86c6a094

                                                      SHA512

                                                      be659c3924bd10accd08cfcb6361b9ae0733ac75b911151d468be23a1238da414ebfe5200f1ecda5d266a5a3a8775b22409982f9f70a255e716a2127b66f9a9f

                                                    • C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      51db68638c7131082749fffe00b465f9

                                                      SHA1

                                                      c1d2912ef1f2cd3408ca595272e5aa74141cb501

                                                      SHA256

                                                      34b47a63619e230a9f1df85a4f67e2cfe4d41777421dac989c5e80a5fa3a02f3

                                                      SHA512

                                                      b9d615cd645e0d6f1844e0e95d973180f77e7af9f20c94b0273c4c4626391e21081bc31af549198a301cee03a2d4c72a5dc4e27875083e00bd2136e95386e9b4

                                                    • C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      28c6c812540348cfaf3f73e9da542177

                                                      SHA1

                                                      19982d227536edffc335514b7fafb3f6ff448a95

                                                      SHA256

                                                      a90423e14bab9858087ed539cd3dd8b8cf74f2315422e07c69aecc2379d69fd1

                                                      SHA512

                                                      9d17cb215c6f246f553cdae850bf23d14a91b9df0f2bd72de06540388a5a2b48b6dab4d61db41b6d6294f8ebc1dc46b7f051f8e924c53154affb2532eb6a339e

                                                    • C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      628c3daa6f331fb04c5cb80f35b782bd

                                                      SHA1

                                                      091f2cb5ad1e3fe38aa9e69916a58d780c022c26

                                                      SHA256

                                                      85a374d632a0376f0d9941edb037f29773544577c9d999ac174af18b9dc778ff

                                                      SHA512

                                                      b6c6105f0aba91be2458a5ee85b7021f36cd8862ce588d1153983a99975f5377777e69e8ef1614e7c409b09cd11438ad4f5d01c50a4ff6334582a64f781b42a2

                                                    • C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      4936a1c179b4991ca9e9b504c14706bd

                                                      SHA1

                                                      996e731a850ae94596c5ce3f38935c1e3cc7bcc3

                                                      SHA256

                                                      0700437b722ae5ad13b81f9b2a5c278722e0bb39eee2f63f1415bd0c8ae1ec60

                                                      SHA512

                                                      1430a656d5759e3498e6cbad43e2ced45cbb4f7bb5ed0c5c9d2d4939357453a8ca5b9a881ff8c21b8ad5ba33054823510df7bafdeb024e6ec5963fbf86b2a61f

                                                    • C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      9bfd04fa29c7db16d335500c01ccb378

                                                      SHA1

                                                      66e6e965f60e5a0eb65d012814e6374442aef847

                                                      SHA256

                                                      a99b3ce5c44eef269a6505fe3ce214f92429634d7edf86a46b4b1617cfb17bd1

                                                      SHA512

                                                      ed5df0bb527f57341a5fda4099bab8ddc8ab61be9f3d266caad054d94a15d7abe0cd1254c163bc257fb86db694805e1352363d396a279f87f793003f15ba4fc0

                                                    • C:\Users\Admin\AppData\Local\Temp\CabF0E6.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      7d3ff9140de55201671c601e40a9b06a

                                                      SHA1

                                                      42d91862d294ecb934a99ffae34a7f8c94e36c6e

                                                      SHA256

                                                      3acb70cf58736f124f3985955dbb4c1611a02a4e90dbfd09d7afcd740ad818df

                                                      SHA512

                                                      44ee813d27533a67c4b22b11ca8cb1e636df697facf10b5cd47257226a5602a947cea92602ce956ae7e916e73b9fa955e171d5c836356959ade3339c63c5d917

                                                    • C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      60278db84d20341aa7ec6c83e26f6087

                                                      SHA1

                                                      a32981b4d393811b443199ca79dffcb24e7ae6c6

                                                      SHA256

                                                      d12f2c6bb42ce5205476eb32e9d6dba88c901d1cf9e1c41b9799091650b63c7e

                                                      SHA512

                                                      cd5e8072d4a63e13188493528724c8d30ba557a300725dd9dd016a437fe1e62c6d21f7015335b68efd2c671a2e777543d587212636c5fb8f96bdd72950205e42

                                                    • C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      6b36c775a830576a47dcf8a3ee31d152

                                                      SHA1

                                                      2972d74fa287890613269b91fd667207f37d70cb

                                                      SHA256

                                                      6982ec7f7363f00c2e623bee811c7d60c69b6edd69c8141b0bfbc566654884b6

                                                      SHA512

                                                      0840b7bd460300b77ecd59a1705acb4003245e701682be34c92d25441ee8e5ef2784aed159fefa97635b703ddd54c8587a13f3ebe0c7455c9a01692f675ee415

                                                    • C:\Users\Admin\AppData\Local\Temp\TarF108.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      6182aafc805d1aef4b48bca8e1e3b9f3

                                                      SHA1

                                                      85b4ae3cdab2db780df271518cb39f099351e9d3

                                                      SHA256

                                                      3b6c3f4be8dc0b8552820c2becc4416df66802a8a255e155e9071f48250920bf

                                                      SHA512

                                                      780262f3636fc81076b09bb82dc306bb4184d0b9b4d2b93c9e660dc481b4fb18ac1a5df5b68ec26b35a5d4c13796a4cea3522b0fb45fc0d1aadd80d893c5221b

                                                    • C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

                                                      Filesize

                                                      225B

                                                      MD5

                                                      26a85b2834f42b439311bd18f57be2f9

                                                      SHA1

                                                      9537df7975955525defbcde4446a01c5d39f4750

                                                      SHA256

                                                      4698c715eeb2c889cfe9f77a37e35da623f36f42a9dee0979b6d30c29d6e567d

                                                      SHA512

                                                      d59af77d154eb2bc861f8b82475d5d7a08364166593c7d097b26e3279d6565c0b2fd4f4b5aab6d4a36d0fbf47db6a94f3dec1268cd4af4653b92cfed11d8d334

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      c9a04ffb441e071dda802f695c009531

                                                      SHA1

                                                      e85af172d5dcf715704cb529a73b744280260fed

                                                      SHA256

                                                      19a602500f1b53d02e3ad7ca150935e745d6a10b79604e8ff7fc34e6db775173

                                                      SHA512

                                                      7263f93053692f32bb9944e618740024e4faee5a804bc29f005cf6b4c0f9c85c73420e1225bf9dc85094a98d6335fc668b3fad74479a8afd2f22b2c4657dcad2

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • \providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • memory/900-86-0x0000000000A10000-0x0000000000B20000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1500-402-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2092-80-0x000000001B550000-0x000000001B832000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/2092-101-0x0000000002900000-0x0000000002908000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2340-282-0x0000000000240000-0x0000000000252000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2828-16-0x0000000000160000-0x000000000016C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2828-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2828-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2828-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2828-13-0x0000000000D50000-0x0000000000E60000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2832-342-0x0000000000390000-0x00000000004A0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/3292-643-0x0000000001250000-0x0000000001360000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/3328-463-0x0000000000340000-0x0000000000352000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/3328-462-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/4020-222-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/4080-582-0x0000000000210000-0x0000000000320000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/4080-583-0x0000000000450000-0x0000000000462000-memory.dmp

                                                      Filesize

                                                      72KB