Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:45

General

  • Target

    JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe

  • Size

    1.3MB

  • MD5

    c9c1a928abbc7ce1398f28a970c84933

  • SHA1

    5f92b79f4d085a5840b8612f7886c86dc7dff018

  • SHA256

    9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb

  • SHA512

    c37881d9428b64f97e24e808c394f05f29e19334b1ad25c2ea0eb32a507a9a08791d6d8192bc951865d9247c8ae975418165932e9ceb4a0ab7638a8792f4b8e7

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YAkRWmVbYY.bat"
            5⤵
              PID:2788
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1988
                • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                  "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1248
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
                    7⤵
                      PID:1984
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:1244
                        • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                          "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1636
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
                            9⤵
                              PID:2604
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:692
                                • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                  "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1908
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
                                    11⤵
                                      PID:2956
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:1456
                                        • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                          "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1888
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
                                            13⤵
                                              PID:2584
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:1056
                                                • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                  "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1796
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
                                                    15⤵
                                                      PID:3008
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2188
                                                        • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                          "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1592
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
                                                            17⤵
                                                              PID:2384
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2916
                                                                • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                                  "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2956
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
                                                                    19⤵
                                                                      PID:1784
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:2156
                                                                        • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                                          "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2288
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
                                                                            21⤵
                                                                              PID:1536
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2044
                                                                                • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                                                  "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2852
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
                                                                                    23⤵
                                                                                      PID:2568
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        24⤵
                                                                                          PID:2760
                                                                                        • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                                                          "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                                                          24⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3048
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
                                                                                            25⤵
                                                                                              PID:2100
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                26⤵
                                                                                                  PID:2868
                                                                                                • C:\Windows\security\ApplicationId\PolicyManagement\smss.exe
                                                                                                  "C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"
                                                                                                  26⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:876
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
                                                                                                    27⤵
                                                                                                      PID:1528
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        28⤵
                                                                                                          PID:2076
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2716
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2352
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2788
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2044
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2872
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2596
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2672
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2768
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2224
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1156
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2776
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2816
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:824
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:468
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2424
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1112
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:668
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:660
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2104
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:692
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1120
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1772
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2936
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2992
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2092
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2216
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2144
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1280
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:628
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1608
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2996
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:292
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1204
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2320
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1768
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2524
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1672
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1784
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1492
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:592
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2088
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2016
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2532
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:304
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1900
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2156
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2416
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1084
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2408
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2032
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2336
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2504
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2372
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:880

                                                  Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          843730a6cc770eba67aae8587c87b5b2

                                                          SHA1

                                                          12a9db311979e2107f76830fc7eb104aa665c948

                                                          SHA256

                                                          aabc2fc80953306c0bcbfed78589e16238ca6c72c6c8372b478bfb04f390b2b0

                                                          SHA512

                                                          e110db50a92bc52d44ee1063f3fa6d2d083345654508eeb3a4c9f6ec4a875d9545730d277c00a2745d469bbabca1fb5c4ed1c13bbdf5c41ef06563e6f558cfe9

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          a574f001c748a9b8346a955ec362768c

                                                          SHA1

                                                          555c0d5959c4be94070e26372bd782654003e2fd

                                                          SHA256

                                                          f43d91e0fc148c7f7cbfa9a034a4177cc5a12cbe96bcefb2667f8d3d59d84b9c

                                                          SHA512

                                                          59c75458344dc37a746413c3e2824e8f389f10712d2e48be3841bce6133b0b24eb64a3fd12175f59021c91e99f94ae3cd0801785a21d69c3b60dc42288c8bb49

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          d526e68802e00638024167b50fb4269b

                                                          SHA1

                                                          8108dba5221f99ab7630950e7e07a4d2fb94d0a3

                                                          SHA256

                                                          753c0ab455dd4e0d3d16b3085b90da8363e1b2e152ee71a5da24794d094abe7a

                                                          SHA512

                                                          c5e4ee7545458d6fdf0f600c0fadfa4dcb5fd77eeed297d314aa133dd211cb286f0a2f75dd0b72ad09035b0cd48bb9d9127d67534bf0aaaa730d9c5e172f7719

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          b7a5671b885fbb212b36885f15c2f164

                                                          SHA1

                                                          5b477009255b063f9e8122e07d5c87c85da2b431

                                                          SHA256

                                                          38794bf22ed9e261e0dd800f20e824189713cce25f672e5d5d7414b66e6256fb

                                                          SHA512

                                                          3f00376f7b14f9203305b9f38f33f837eb43726701672e6b0ebe13612e8a8a2b1110cebffa3f199b2c08e444703951133628c0c5d2c153906b5831f7d18e98bd

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          0478932949fad9bd72ccda6a42e99078

                                                          SHA1

                                                          f97a33effe66ec3d23d5a28034f9c00677d58f53

                                                          SHA256

                                                          826f2f4066a3338b15c9adc9e019a518c4ea9b0c008f051c7d6a3437810b491f

                                                          SHA512

                                                          1a2e34a921d8865206baec6c7f150812d1a182d4884d56344854093a4347497d1f7e1819c07b7bd481d7eafbc27b2b42f9985a03eeeb62814f72dda3f6c5852f

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          1199253a33969a0fdeaf6bdec929e7ae

                                                          SHA1

                                                          92b3cc7aaea828cd261ff01baff46892fc9545a9

                                                          SHA256

                                                          2ac3bb74a1287f30e08680391564eb088649a2cc058cb6b842fa2b712b1b3d0f

                                                          SHA512

                                                          d0d6226e02620ab2c4efaccf6929538950c8e62473ee7af83c86313f98b6524eae340b457fbf255155937e33fb62a45477d83ac5069f6e293a0c099911e61667

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          fc887d65d62afdcd019ecb9e290b87ad

                                                          SHA1

                                                          31c3729d66b40477c4be0fb681a9525d34571b3a

                                                          SHA256

                                                          4eabe1891d0aabc9a74a8c368bae7b8c187d75787e8d86d649d63fa3bc47ddb5

                                                          SHA512

                                                          70491f6b26162f7bb99d3ec07800d464993b47fda35d63e6fe612ce11c2b22ab0913a4e5ac9deb9cf5cc7a2fe7f947d936aaec04bdf741d2ebc9b613f8965687

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          dbe67d514efc35c4888d96d4c26bf531

                                                          SHA1

                                                          233ff6f6ee93ac5116dda42d922c7bc009c83731

                                                          SHA256

                                                          3ff5d04e54c60873370d65ff8e5c24ff5e75a68805151fa63f2649b8493b4676

                                                          SHA512

                                                          3d97054a4712b2ed2eca17038b6ccd1aa9ec852dd43e98725222f58427c248fbf936fdd82d092c3dab680e0238cf09a4b59c2fef5be88084c83eb72522dfe257

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          79e1f658948dee3e8d3696f86ea8d3d9

                                                          SHA1

                                                          2570e1b9b002f794a43504eab0efd5ff38d34602

                                                          SHA256

                                                          3efa1f5aa38bcf0d4277554191eb74d0cf55ca5e0366e489e6eba1a5824c1646

                                                          SHA512

                                                          ac8353c959d4921f83ba767c1a59b7764627a89ba44a94dc0095a722ed8929df03cf72e33f237b0a501f5140f8a8650a455f49de85185dff0a0e07aa7c40f0c7

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                          Filesize

                                                          342B

                                                          MD5

                                                          e4ad68b1774a8bd236a7f9462f191a85

                                                          SHA1

                                                          bd0f40369ef330a08a7768d66e302a1d7c3cc239

                                                          SHA256

                                                          9997ab9718510aafb6d76b9e532a40fd3d3b8acf78e0f18060b73284d8349062

                                                          SHA512

                                                          88abad87cd136f477cb918ec978179148376ede692b71a55030be97535b25d5c2338397ccd705e37b0487dc8c604e570390419664d4eaf3eda90891038c9fe2c

                                                        • C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          f1dc49f68868a04351965a34a5dd6140

                                                          SHA1

                                                          e62ea58c941ec3fa5668288c9176c6b9cc5c9299

                                                          SHA256

                                                          22e2d9c06df2e983ea9e549137e8a615b5febee5f7d8e8526e2edff0458152f1

                                                          SHA512

                                                          8bcd6e370b1af61cbd74c6b599485a086984f261ce63c9f59f374d8aa135419a92dd2e08f4206e424acdfb2239ffe7e04bb9307ae356d730624714ff05d9018c

                                                        • C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          5dd2400f8fe6746d170e3a9ae3d36e68

                                                          SHA1

                                                          3c67f0737395522fe8f5f798dd09cec28692ce9e

                                                          SHA256

                                                          f9a1c7b25a7774348d53f867673fbbe1d1d58256da98d8ab46a206a71f7e79e3

                                                          SHA512

                                                          1e33af2afbb7df755cfd70369a91e224f09552d590a07d36bb0e4be58d68d935e5e48eec23fd720c79d3e0557f5d9fa3847c84471c3bf3257158da5d8ada8f9c

                                                        • C:\Users\Admin\AppData\Local\Temp\CabEA51.tmp

                                                          Filesize

                                                          70KB

                                                          MD5

                                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                                          SHA1

                                                          1723be06719828dda65ad804298d0431f6aff976

                                                          SHA256

                                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                          SHA512

                                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                        • C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          ffc5df1e852e9bd0f827039607b3003f

                                                          SHA1

                                                          aa94c690aa55af2adeaaf3dd93d9754eb9a2e49f

                                                          SHA256

                                                          340beb780393fc2a6ab1fc29cd7eec78bc75775f958a0d87034228b4cfb5f9eb

                                                          SHA512

                                                          392cf6bc9f068675ac8fe1b48ad6a04aabab9d17a9851bbd5b57ce76134d841a26ea7522ef313ea3242b6bb15cef3e4ecfed7b6199cbe1ce9cd5b836dff3144b

                                                        • C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          976ef28c72e8d7781fbd9edac354ca79

                                                          SHA1

                                                          56bcfb4a19cf5e03488ac6be9840c19e60e70d82

                                                          SHA256

                                                          91e900fafabd66e077b7566fd9ae1b6c426fff62b6472cd31a8fb7fbc7e0e121

                                                          SHA512

                                                          b2fccba95c83c92768b20e54087e1d6c714bc269a46d8d42f5b564f94a6d3563c1079e47c95f0e52975ad8e4d0922a77f74604004895cbedbd6a6e71fa58aa83

                                                        • C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          892ff23822f628bc0b138b6577feb18f

                                                          SHA1

                                                          1e702a9f36eadbacbe0e1ba36e5ff3d34e7e011c

                                                          SHA256

                                                          d2916aa3db050d514c4c217c9a32e9d22a629ff94f14ed47b7aa111d86197ca2

                                                          SHA512

                                                          4998498169131ac202ec830e7c9db925c103724a528c3cb79dbbd63657b1a522bedf0c60046cc212260d857b51f5b595a4a5acbef389ac6d7ae8c085ee741eab

                                                        • C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          d734814447d1b3ee070eb5ffc551e83e

                                                          SHA1

                                                          4b8fdd0d3555f417eded18c0e4840d3a16286eee

                                                          SHA256

                                                          8f6859d20883fa6b6bbd89b95dbb419f4716e15deca2dcca5b6f084e46968b40

                                                          SHA512

                                                          7c1f69b3c9c788e336697b3efb08d6869187e1f59ac4ebc3c94ccb9c8778c9e7be53ac50044dee2e184cf80fec8c9297851fbd41377be300217f8a5edb9dc345

                                                        • C:\Users\Admin\AppData\Local\Temp\TarEA73.tmp

                                                          Filesize

                                                          181KB

                                                          MD5

                                                          4ea6026cf93ec6338144661bf1202cd1

                                                          SHA1

                                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                                          SHA256

                                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                          SHA512

                                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                        • C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          b02e127420b6ed04bc6df52824ab41f0

                                                          SHA1

                                                          42c6ee11e991ce0f9d211615afd3e80b57fea3a0

                                                          SHA256

                                                          2cc042406b0cd7a0293ba2aed3b5ea5a740017ef5635b828ed50f68f45634cdf

                                                          SHA512

                                                          f7c106bec7880b3d4f426a90045fdc9da81cc0119115110475cdd1938aed0239f07c1109d68c5bf77cd77bddae670cfe97c04c1d4b49102fb32171e15b9835c2

                                                        • C:\Users\Admin\AppData\Local\Temp\YAkRWmVbYY.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          c91b977681e6d192c029c06f82b067e7

                                                          SHA1

                                                          7253c2a6b696560667319b923a2f0a75723398d7

                                                          SHA256

                                                          8b7ea82e28ddeba1099c3a8154d86f8645b689e7e342186f07bd84e725e1fd67

                                                          SHA512

                                                          e5505d9140830d09981b72ba2e6754b8e9dc2188bd6ce04298697d747a932ceb98bdbaf1f6fd1838edad723828941071fbb366a84c1679eaeba98d0575e9c26c

                                                        • C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          634d76a9351e14c31b796fde65aba53f

                                                          SHA1

                                                          1b5a19ac20c1fe37a2dc1101bbfbdd55ca5d4ecf

                                                          SHA256

                                                          047fff8ce244d30902e68432cf2d1eede790c77889b6aeb6ac78a3a3f09caaee

                                                          SHA512

                                                          533d3099f1f52b4a2f3a45becfe1953833b22da44ffeb91c974091bfb1d2752405d85355b24f4078062908d3b3ea4a703b07e8672f55942ce502ce0dc0d417cf

                                                        • C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          6ec90b71cb0aa1f05d71d264180a529e

                                                          SHA1

                                                          65e21bca0d38378e864f943ab7bf8b19ba444653

                                                          SHA256

                                                          ee736e85a233c71a88075d4f1a898562ecb536e031d7450fc0be122cb7e22f3b

                                                          SHA512

                                                          1efa465870c1a7cb975c3ad29f3e7c2c8405096472284afbf646e1acecea0ead3a0c49c61d9a53bfc9642cb6e679336b40352a86ee34e687965aee2685c282b3

                                                        • C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          de4cfa21f10d01cc5b6c5364c5084507

                                                          SHA1

                                                          e5fe475232f5b87850ef2e3988a4eda01b910148

                                                          SHA256

                                                          f6f900211c1133df0539c0066047aa1d654ad7d53f4cd45fe4919c2ae5c955c0

                                                          SHA512

                                                          d2b9a2b7910243de1a4bb15226387b2ba48942043720b5f81b725d875af980dbe01fea0eeabc2e9d9b0cac686369be6bb066da63ed1e26d0b861cd857c80824b

                                                        • C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

                                                          Filesize

                                                          224B

                                                          MD5

                                                          91bf647bbd7007eb8d7d6e2035dbd243

                                                          SHA1

                                                          1feee9b7e3f8034e498d918e619ebf9cf1d4c0f1

                                                          SHA256

                                                          cb7f88b4dd72ae3da392120e4494443aac4a3f4a642e4a214bca5f74c7a6a033

                                                          SHA512

                                                          cb0f2c578e098e27394afab8b4dd916f28fc92dec769a852285b09544ca73f6198ff14c190f7bbe68c3ecfc1963cacdefa8f12e0aab5bc3a9c536c5152cf668a

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                          Filesize

                                                          7KB

                                                          MD5

                                                          7e116134ab8dfc6c29d9f036451cbfd7

                                                          SHA1

                                                          0b9dfcb82356de77b9fe22a87189cad3bf48944d

                                                          SHA256

                                                          dfbe5678764043150a0cd8cc5db3f5d915e0fea43211f6c7ddc4c0479e445954

                                                          SHA512

                                                          7d1a0e7890fa100bc34762e604fa3386cda35dcb26dbbae82ff44fbd3faf4f479e2d40b5291f083ddcda8545248b702899b178206651ba201cc6de40bfc08d80

                                                        • C:\providercommon\1zu9dW.bat

                                                          Filesize

                                                          36B

                                                          MD5

                                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                                          SHA1

                                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                          SHA256

                                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                          SHA512

                                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                          Filesize

                                                          197B

                                                          MD5

                                                          8088241160261560a02c84025d107592

                                                          SHA1

                                                          083121f7027557570994c9fc211df61730455bb5

                                                          SHA256

                                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                          SHA512

                                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                        • \providercommon\DllCommonsvc.exe

                                                          Filesize

                                                          1.0MB

                                                          MD5

                                                          bd31e94b4143c4ce49c17d3af46bcad0

                                                          SHA1

                                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                          SHA256

                                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                          SHA512

                                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                        • memory/1248-154-0x0000000000F60000-0x0000000001070000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/1592-454-0x0000000000FC0000-0x00000000010D0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/1592-455-0x0000000000250000-0x0000000000262000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1636-213-0x0000000000300000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/1796-394-0x0000000000110000-0x0000000000220000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/1888-334-0x00000000003A0000-0x00000000004B0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/1908-274-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1908-273-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/2264-63-0x000000001B630000-0x000000001B912000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/2264-64-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2288-575-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/2852-635-0x0000000000240000-0x0000000000252000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/2956-515-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/3004-17-0x0000000000410000-0x000000000041C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/3004-14-0x0000000000270000-0x0000000000282000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/3004-13-0x0000000000130000-0x0000000000240000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/3004-15-0x0000000000400000-0x000000000040C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/3004-16-0x0000000000280000-0x000000000028C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/3048-695-0x0000000000240000-0x0000000000252000-memory.dmp

                                                          Filesize

                                                          72KB