Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 19:36

General

  • Target

    JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe

  • Size

    1.3MB

  • MD5

    7eca7694e78a6975896268ad0c5948f5

  • SHA1

    5e012926fde5f131c71c4e5f83f65298e75ec128

  • SHA256

    d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3

  • SHA512

    2aa45b80fa311f52b8148fe1f222b2018f5975b5971c6ebb5b80493420bf8baaa3c50eefbb6a281e7e60c573f1323281112946a9d4894588e2fce5b60598d2dc

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2696
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OSPPSVC.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2600
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2740
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1716
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3060
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3036
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\OSPPSVC.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2692
            • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
              "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2604
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
                7⤵
                  PID:1552
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1760
                    • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                      "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2136
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
                        9⤵
                          PID:792
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:824
                            • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                              "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2624
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"
                                11⤵
                                  PID:2812
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1268
                                    • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                      "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2224
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
                                        13⤵
                                          PID:1056
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2592
                                            • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                              "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2272
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
                                                15⤵
                                                  PID:2712
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2864
                                                    • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                                      "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1548
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
                                                        17⤵
                                                          PID:2308
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2232
                                                            • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                                              "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2692
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
                                                                19⤵
                                                                  PID:2260
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:988
                                                                    • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                                                      "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2216
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
                                                                        21⤵
                                                                          PID:2368
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2904
                                                                            • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                                                              "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2212
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
                                                                                23⤵
                                                                                  PID:1716
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:2936
                                                                                    • C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe
                                                                                      "C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1580
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
                                                                                        25⤵
                                                                                          PID:888
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2592
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2628
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1816
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2872
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2384
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1992
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1220
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2528
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2216
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2264
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1760
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:988
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2628
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1552
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2832
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2328
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2152
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "14469815232102867804-7791087271000934453-2103102970-55733652012843289202138473764"
                                            1⤵
                                              PID:704

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    8dbf5cba7c6d0adf71ec6feba7b19c66

                                                    SHA1

                                                    aab3e4d9261e57a8cb90cd44dfb33f1ac8fa779b

                                                    SHA256

                                                    bbf0ae31173600b54a1ab7eef875bf77c52580a7a0242dfa53b2aa53e7b17b8c

                                                    SHA512

                                                    73e8cbb1b0496d9337f239ffdcc1961c9d2dbd6b4331ae70202c7b49dd07ab6f4eb2b278d55a66154cda3ff77411fec83a920528cf2d3894f272c0fa0bf86788

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    1873e32318c073297b60d9f65f2e1ba0

                                                    SHA1

                                                    1dfe27b41db4116807d905975c3946ce8796727c

                                                    SHA256

                                                    11984763156cb879055b2e9cf1a0bbdd3263b7dc02f620efc5ccd77c2946dbe8

                                                    SHA512

                                                    bd8be42a538a702d817c1367b5c549daac9b1a163478d1f32cdc061ecfb28188b49eacdc31408e5cd7793e3121477ffddecb68c7c6f79544155a83ea32c7eff6

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    5ab791af9b2dc8e1e5f2d36b3c78c496

                                                    SHA1

                                                    e810757ad2da1a790d4e78294df4191debdec81f

                                                    SHA256

                                                    aeabffe7be2b408d34fab8bad13894be76603a44fb38f7ffc3eea3b0acc93c7c

                                                    SHA512

                                                    0d8bca013c0255907f909eba0dc836d4365d81c3fec590f737bc5c0001656d5802e684d573d09b11f1fb595e88276f3c78a57e3cf03085c8be44208ed904d79c

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    6b3841d3f842bcb6c6d57ccab653f37b

                                                    SHA1

                                                    a13b594ca449ecb35b54d24c030b170889e16c10

                                                    SHA256

                                                    1a55ad46d8faf5a97f8db7424092127032e1fae47f6c76ad81f9056dea661a3a

                                                    SHA512

                                                    7c2cdeb94a0679439981d1992b8667235b7016cef4f301fbe21cc0163bc607cc8cb968143e45373e657e8cd5fa4674a40da8f83fae931500cd225ef6c3c54716

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    ba66240be672b2680b5b6eb4f91e80bd

                                                    SHA1

                                                    c73c8bb866693d53d9d62c93fe5691230121c0fe

                                                    SHA256

                                                    6243171136e12901d063c250686ade73aed871b98f68662fe6e591abc592b792

                                                    SHA512

                                                    95af1d346914d140d65dbca25a67b9fa5187feb7046e278cdfdf9bbbfc7b835aa726df9f2fc4f9bd76fea70c5c239d223fdf413e06f8bf846984b4ef6dae799b

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    c366c60bbd333138afb0a53eca4e162e

                                                    SHA1

                                                    29ac9f44b6eecf192787ec75b91222f3acfb08ec

                                                    SHA256

                                                    4c6e26eced2f3943df0e5e814053f283b68eed582afbbe7deccc049e63b0ef36

                                                    SHA512

                                                    c5eb03e8de99b8ad4ba5a5192664ff5f198e38c5811c9263149f7cf93737adff8fbff4509ff7a19aa5a58e908ba037a1506a3041dc92ef68fb8a4c0b14a6dd2d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    9e44adf972adde7690c4e13ad6756f02

                                                    SHA1

                                                    64ac812e2c15d1aeb5d6d69ab4b7360058a06175

                                                    SHA256

                                                    a8651874de4158c9138d1921a9c06e28da18430ccacac71f1bc587918d14006f

                                                    SHA512

                                                    37d02e89d217b4de0ab7fe7d587c9fd68fd7e4f2da483683ca93df89b57b74d170db1a29aefa7b277ef9ad54eb06fc7bcb68034205ee97c2a3751eba5fcfda37

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    f097efc2970212840c88e156fcc2f123

                                                    SHA1

                                                    fcfe28d81e53fe1138068fda4d6096bf87297c55

                                                    SHA256

                                                    707bfd2e585dc861d3569a0fa9af5e565b5c4d929d882a7571209c60032b5ebe

                                                    SHA512

                                                    c955feb787443d49684f2e0eac41b8ac94875f9baf75ef8082c1fb38ee59da544599ff3193b4327ef8888023731a5db88df1b1b85048bace3ef10972d4c0d0ac

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    c348fd34181e842db922a91987c792a9

                                                    SHA1

                                                    9d973658823c3d9f27e6ff9bdbae6898e3be67f8

                                                    SHA256

                                                    d742485a3be749624bfd7faa878edd9261fda8e62af8adbb3121bf6835d17af6

                                                    SHA512

                                                    0a21e9402edb88afdad85e6763a3344e164ddfc1d083e189fe114aca65d61d255d88ab08fa5ee95c54ab24fce5b445997142446fa1711bb99b40eab0d52de9f8

                                                  • C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    91e2bf5e5a4673c98c816df61342d57c

                                                    SHA1

                                                    4aeaea4ed1370d47b0819a518d3c8ad09d0e4202

                                                    SHA256

                                                    5c34d720ba6c311c7890e1d5d13f0e9e9805677b0b72d58a874ff8ae666f69b2

                                                    SHA512

                                                    14e0ac0f066faeedb49da0a52439b1ef9576f10683b6f2a5b1aa0b6bea7f9b2e74f4781e7a3856b68c94317124ab3a4def5cedacc6075a41aaacedcd68ed51c0

                                                  • C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    1cde496886753088cac6666da89ac982

                                                    SHA1

                                                    438bfd28bed2a1dd4ce890f1cea7cb1125aea579

                                                    SHA256

                                                    a6fe64794a7b447053016b38ac866f4bfe33e110da23b2f8d084c4642a99c051

                                                    SHA512

                                                    e58feb1c5559f5f06c5ee4d51a2935611d1b86c7a2b62e9ba24b731a08d0c95187ebdc99e09e3c41a57674319c57dd5efb179adb3d20abfc5a3780bed540c961

                                                  • C:\Users\Admin\AppData\Local\Temp\CabEF1.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    cb220dcec9a8d877bfa68b0572f8116d

                                                    SHA1

                                                    c05e1ad0aa9ff0aee6e5a59e9053890d5ec12a0a

                                                    SHA256

                                                    466defde2e41d88ebd91ceea316a4ae6384d63cb3cdafb51f56c92d77b9f7234

                                                    SHA512

                                                    ccb6bfc7e954ec5937cffffcd7927f3dcb7d646bc7c5f1b9a6286479459659b9bc6502b1e3e2154b85feaa5a7cff9628c59c24d9a7b59e646cf93c6e71c2cf3b

                                                  • C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    93306f7bb330186f31999d74c83c445f

                                                    SHA1

                                                    bc34e8bc19b9c3715424cb663ad606511bc39bc6

                                                    SHA256

                                                    fe48006d5ea472f4cdd054e707640f1237e411bed818380bca1f2c0504402a96

                                                    SHA512

                                                    e161af4db75f2a3da34154092ac844a1dd2635a8ea6fe24e4832845738504452af04696004439962422ddf6f60463ced2e4d555494b89a47d83081dbe6960077

                                                  • C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    d9fc37a6336c2c64c659a00326e1e22c

                                                    SHA1

                                                    4c8ad7f49dae30c2d11ba71bee07f49396a47fb9

                                                    SHA256

                                                    e3e1f76b225f7bbde0d96bb76460e4749295dc31fa8f45b58ba1205c163edc4b

                                                    SHA512

                                                    3f751b01f4754dba2d1964d40c3d749d04eca0c62ae7ce53f405e93822bce893120d8b6fb4b6b1687ee18725f9a4f9f57e86277a0cdd56adb590e28538a5c7a1

                                                  • C:\Users\Admin\AppData\Local\Temp\TarF13.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    4a3c427dbb5f73a1f21e8eaaefd6926e

                                                    SHA1

                                                    9e806d4755c2b799b3fe6f44922128c0a87de0ab

                                                    SHA256

                                                    3527626078226da79360ac20a174ef40eca4f543a275a57f0d4d0c879ee36478

                                                    SHA512

                                                    e7169d0ca7a60b51baa7004450b661307132d293e836ad1389e2485e16ef1328682351e9fdf07646bbc09a0e579af8e122b643e1ded69cec4b9e4f44b180d447

                                                  • C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    05f23aea730b92fcc1b0bb14b9bf8703

                                                    SHA1

                                                    e70ae8f5e3da36e803d040229c8c8b26e5de0232

                                                    SHA256

                                                    85d8e9b8bd3f503cea0910d894d878031c9677d0f307fc7729d640e0fa00bb96

                                                    SHA512

                                                    5a73540b194e9f912329b4a71b4b6da446cf103e845ef9b3a46cd12b6181cbf78a6437c095cf3dd7f1b6c81f4ae4ab160c54e7cab6706df63febadcf498fd9e2

                                                  • C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    0c0ca458fc259bf4e16c5358071655d1

                                                    SHA1

                                                    8a72e8a9044ab3d5ce09bd3ef12fe64a612da1a2

                                                    SHA256

                                                    d9220b4b4ffaa9f55f1aa4f64367e8060ce9c478acc7a9db2963e699521c62f7

                                                    SHA512

                                                    6483364a28aa68820dbca5ad3f02cc31c7355eba554c6b35001e19be034936d5f0688cc1e09a2ffd73eb230c2b7f0db12f3b16371f486a0e335fec37c1ca5e6c

                                                  • C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    79a3dbad91e4db27545da6ce4fa44a81

                                                    SHA1

                                                    a8d21222e13f804aed52bb11040785500ffbe8f8

                                                    SHA256

                                                    ae534d58bc0f43e57d558c12ef23490741d00b1dfff54650f93d4763e5b1c5b7

                                                    SHA512

                                                    7a767fdc306ad161ed917341b7fdd34b6c063b3980f272498ffb46a580d4094c30f24d56379abb67237cf14f510f4b263bd6eeb195114a5434275a846725c7b5

                                                  • C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat

                                                    Filesize

                                                    289B

                                                    MD5

                                                    0d99a4880be5987dd833398cb2a828ab

                                                    SHA1

                                                    2c4b474fbde66e90fb1c12e5184924294169a4b2

                                                    SHA256

                                                    4b421b6318cc9bb94e925a35dbd4bcfe4bf140d99d0a32209f43b6a4d9509331

                                                    SHA512

                                                    f47e1ccb09a6cf95cf5bc1c70d26d3e99cc78b503a29629d11130593feaeb36d41eb83617d69d6f5a30f75c6eed2b14690150775d0fff3bf217069fe40c8b349

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    c47a079b18035700214bc9b026c41531

                                                    SHA1

                                                    d4876847a953cf8708ce0fc67c80f41f3de3f208

                                                    SHA256

                                                    98c8c830c226abde147bcffc7bd9329a1273e321c4903706b8f66cc13a041640

                                                    SHA512

                                                    c57e20871351f3bbecc8879794c049f1ff24b07ab4c1e15bbba617a1ad5287d41a11311c89ceb494e0735397801496bdc09de6bae05fb15742d97a5132c363d5

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    243172db0df8548ed8d5b56083bfd908

                                                    SHA1

                                                    99726070e89ae0df6d6b88841a0f9f83e2582fde

                                                    SHA256

                                                    e51f0ce8aa5d034ee8978f8aacd4ccbef15f384aa2919cac217f06c4e8711c40

                                                    SHA512

                                                    54c7d9bcb2c295c5c31db4c366c7b944e1c1b9e3eae93b2a027d4710083e4d226878481f93a2caffbb56b5de2e4fa72ad47e7034b8782208d1de6fcbe36db8b7

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/704-48-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/704-50-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/1056-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/1056-13-0x00000000008F0000-0x0000000000A00000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1056-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/1056-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/1056-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1320-95-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1580-694-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2136-217-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2212-634-0x00000000003B0000-0x00000000004C0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2216-573-0x0000000000290000-0x00000000003A0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2216-574-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2224-336-0x00000000012E0000-0x00000000013F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2600-123-0x0000000001D20000-0x0000000001D28000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2600-122-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/2604-116-0x0000000001140000-0x0000000001250000-memory.dmp

                                                    Filesize

                                                    1.1MB