Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 02:07

General

  • Target

    JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe

  • Size

    1.3MB

  • MD5

    f6011a9af3bb76cebd2a579ef81b4dd2

  • SHA1

    887ba1dd251ff6270adfd66f305d9c6eb6e4bcda

  • SHA256

    af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760

  • SHA512

    7931a81e030fb51170e895d3170b8f30de6b9cbfb83c5201266b613a6a5747f71d930c2097af6d7f4f79b42c444ab5def0256fd9060fb4a65d225081fd652aa5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:484
          • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
            "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2576
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
              6⤵
                PID:2320
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1052
                  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2420
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"
                      8⤵
                        PID:2608
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:2676
                          • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                            "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1600
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
                              10⤵
                                PID:1308
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:564
                                  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2096
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
                                      12⤵
                                        PID:2492
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:852
                                          • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                            "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2212
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
                                              14⤵
                                                PID:924
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:844
                                                  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                                    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2960
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
                                                      16⤵
                                                        PID:2020
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1600
                                                          • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                                            "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1932
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
                                                              18⤵
                                                                PID:1660
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2740
                                                                  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                                                    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3040
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
                                                                      20⤵
                                                                        PID:2804
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:2144
                                                                          • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                                                            "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2216
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
                                                                              22⤵
                                                                                PID:824
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1164
                                                                                  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                                                                    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1572
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
                                                                                      24⤵
                                                                                        PID:2228
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2484
                                                                                          • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
                                                                                            "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2668
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2864
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2600
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1244
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:856
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2392
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2120
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1344
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2412
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1764
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1320
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2432
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1256
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1224
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2284
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2216
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2016

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            eab428c919e0308b3c6e46d21ec6f25d

                                            SHA1

                                            12a98d0938fd9ad20ae81ca8975822cb3d8c06a0

                                            SHA256

                                            e0610cf3999eece8ebebf442f9808da192db11a0d352022a854f9f5b59a0186a

                                            SHA512

                                            9906f6ceb0c13e5e95cbee31dcd257d26970e065dcad092660e35319cd9ef4bbaff47cf673875fbbdbb22c59a3a4f667c4744acd390f9f50e9b3f26bf5ddf2cf

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            33c1c5ef1106a03edbc351cb07938e32

                                            SHA1

                                            a912d0eee6cbc18649838408b3f959aeeea7a026

                                            SHA256

                                            bb55bb98e2ed659f72cb610f2580028124cd7167aba962bd934aafe6d553dbd5

                                            SHA512

                                            366bc9cc06a5edeae58c94a8e272d3830d2adcf4fe977d79148b3aaf52e485cf4dd1f38b8de99115860d750f3580b785126ea990337836b5cf030c0a51056256

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            28906e5a9c6dd97c39d2723500109cb7

                                            SHA1

                                            0eadb4efd8fb9b066bb4a84d2fddec69141530b1

                                            SHA256

                                            ec752c690cd3052c05d5dbd9a1ade43cab2f4222d65708b9b0da12ddf852079e

                                            SHA512

                                            f4148ce35dff4f98829c253321d4c54f7acc52042a8c0485b471fafe7314732ce7d7e006a5e31d69e23a8b047f99b0c293bfa31458520c59622b46efbb11f160

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            0e3a7d0b5725bdfab5de64b8b7024bcb

                                            SHA1

                                            696d614bab9120748096b3c26ec6795a8bb51647

                                            SHA256

                                            37176dc13b3c4adb989238df6fa5a2fec29ffd605c0cfaca08e54ea5c28c6eb5

                                            SHA512

                                            a91da15b3c73327310979263dd0d92284f484784ab29bb6d882206c9bbab3a8190ca5516f53fe50dc38beb6dc7b7b664cddf6c9c35f3a52116799cc2b6bbff78

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            56642974dc25e861891e788f45b6a583

                                            SHA1

                                            4b86ae19d6324f8d141a6641999b713def5fd0ce

                                            SHA256

                                            2f482af1c0fc954ea84f4fa6e34cf51b65fd90d8e7f44e798cadebf6966c29f6

                                            SHA512

                                            1eadf5a69be1ed72ddc0e120c39010af0105fba70e5b2f976f8976d6c0bff1cc9a48e7f804e31020d065d0485a4b15019d79ade84c8272cca30cfd9249e6bfeb

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            12584a88f5e5e8afc7f1f92b17b63fb8

                                            SHA1

                                            f45e6f26345ce02fa02ac8d966ff9bfd54fc37a4

                                            SHA256

                                            bbc20dc14c217fd100b5685f537e0e47d31209d927e8792641858bfee3ad9031

                                            SHA512

                                            3bd90ef7760c823b8e7139e06cc0ca53da87d6ccfae4ca3d31eebc0b4bd23bd74ffd55eea6b6da51a682461b26b13c5db59476cfb015cd16df858e17b6a3ca95

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            fe6a0e1416cd1b183486c61df78d1857

                                            SHA1

                                            4a360e8a75e921ac844d14bb90331e97308e5052

                                            SHA256

                                            bdd788f8afaaaa5252ec8a45cbab9de07997fb30ae65e2dfaf35dbcad2ecfac1

                                            SHA512

                                            6e6293813a4dc0fabe16755d1e9ec30cb37e90b349de17647aac62fd995225b7520168f197812b16c43152df79078846b2fe77b1abd40914dd162cb06be59cf2

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            b3300ac68f272654cde18522d9d53b3b

                                            SHA1

                                            6ded9c01c18a4babb2ff776e74c3df0e60325baf

                                            SHA256

                                            e80c29351b6c9c7b9368d7358b20a68868f6017d72c96fd8ee91fdd362dfb718

                                            SHA512

                                            47003fd277e5e3bd697fdef44827692e0c05b2a104e71f5f207be522b5720e56b8f56227b78c8c66e883acaa3dd155d26f66f337e0328746512976b17c369581

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            4f9a18b8954c0bf1e576b4c1f9d25f3e

                                            SHA1

                                            cc2a4ed1dd0d88bf3faf5e1f534209b86e863491

                                            SHA256

                                            4bed1985fa4f8054da240aa598146df0831e9543dfbaddfd02a75e5809bfabb9

                                            SHA512

                                            f4bf435134b96dea096389aafb0cfb844e5c876edd157ad0bbc31bce1cccb64f00a771fe7784263fce62be36af08a550e9eac677f8891a109797902ab939ed54

                                          • C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

                                            Filesize

                                            238B

                                            MD5

                                            7b6363c6a658f9cb9c8bd982ea281ac1

                                            SHA1

                                            4751628536502920b4bc9b450fdcf92e0ad78c52

                                            SHA256

                                            07e1464186416ccd9d3de5af2d4b13c2da6644dd46a4c541b4cc7d0ecd349702

                                            SHA512

                                            ce9fd421d0eb6d4dafac70fda8be79bf9f199c2584728bfadeefe649745586368b17dee6e8f02af3442f128356630ac17f8e7bb8d0f2d91bc3a1df9b45cad4e2

                                          • C:\Users\Admin\AppData\Local\Temp\CabDC8.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

                                            Filesize

                                            238B

                                            MD5

                                            c6ab3284d8b89f8ecd237cc82145d5cd

                                            SHA1

                                            45a52cf05dcdb24a493e17b3e56210275e622522

                                            SHA256

                                            68e3eea26a5df370686d7823430fe40a8a3c81f9986f790bd38a08baafb0a764

                                            SHA512

                                            b478e1ced1f503f675eb2aad4501fe6187f17c910a90a8fc812adbf67ebbb191bd8b45c915e251556ee57fb881382e24e541762eae01fb6add3604bd88bd91aa

                                          • C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

                                            Filesize

                                            238B

                                            MD5

                                            b36998536f0a9d0a2753a03a5d7c0114

                                            SHA1

                                            9e326411aa2426171f885e332c97b48d246e39b8

                                            SHA256

                                            ef45146a1911afe4b0869baa0399dae6621603a1a4ba9bddc8247e82267bcbfb

                                            SHA512

                                            3182b86f8608fe7ec302ea28424cef1282b28a83fff9133848c41b064b98c7ca9b79badb5f79bea2f644daaddec40562fb980749511246d3ffdb2d975aa77bb6

                                          • C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

                                            Filesize

                                            238B

                                            MD5

                                            b27e6bc78ec6b07b70b4e7c3dd5d3892

                                            SHA1

                                            6281c17135cb5cb23de8eb1a68c17120b72f19a1

                                            SHA256

                                            30e16c72ba8d713f961cf092e7ebfd8fa94befbc7af37192d1f8f421826926f7

                                            SHA512

                                            f73ce6b83b882ef4d1d9058d2898c0f56fac3823ec285c97364805d30526ff491f96e64ce552ec6d12ac0d88791a085b7a73ba71857788a8a0c158e0b6d3efd9

                                          • C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

                                            Filesize

                                            238B

                                            MD5

                                            3b6eaabdab0d8f7d09df9b51009f528e

                                            SHA1

                                            eda6cfd9c9b8ee34bf45232fbc6af901d6a63464

                                            SHA256

                                            cad48888c2d9545b0dfe01c1c18bbaea6abf5ebd4aea37ae71f29b3f44614112

                                            SHA512

                                            d95333cea91165838e2446ceacdd1ac7bb12f6f1828052fc3976c5f425dde8310da9925cd0a7d638a4d1b1dc1f3590493d426d271a43109a47a6f570de514572

                                          • C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

                                            Filesize

                                            238B

                                            MD5

                                            c1fbf18cb868a78dd77063ab0090f560

                                            SHA1

                                            801413d7e541f69c72cee2a94f2762aba44729b5

                                            SHA256

                                            282af356dfec02877fd2c6d3fc89ef111d841e97bbaa1cc4fde23b2ca8e3347a

                                            SHA512

                                            80a4c02370a2eba2df373bcfdb34bcec0a1b58d0ba3ef92fd2a94571d0894ff8a66bf9f8891279f285837d396ae1d0b7561282035d8849cbbb45ee834542b4c5

                                          • C:\Users\Admin\AppData\Local\Temp\TarDEB.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat

                                            Filesize

                                            238B

                                            MD5

                                            94410498a238785cb97b7b6b23a16662

                                            SHA1

                                            657f06e98bdd30218b60c3e1b12e17e31ded7e10

                                            SHA256

                                            89f433d1a63699b1138cc716fa66c608294462039c41cedc7ab9597b0e0d16d5

                                            SHA512

                                            dabf5318647687c34a3b81c11542077e77dd5ca86ca3aa1c724dba614f51847cb29795631c7f3c934568894fde4721c749981d1989680c6180007c2f930c13e3

                                          • C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

                                            Filesize

                                            238B

                                            MD5

                                            824f2d44577742dd20bfaeb4d6b8f288

                                            SHA1

                                            0146b6d5668ec5a5430464fb296ca65db167e7de

                                            SHA256

                                            92401afcf9860ecfd9bf6216c00575f4d4584e551a292f0d58579bf9a1c7272d

                                            SHA512

                                            64dd14e6f0ce0d5e43e78c397daf80c4965e38ec93a79e9bfc6c9f3f2f7d74490f6fcae1c6138a643620f32b845bd1ef8cb6b292617370cb932fff3304c9939f

                                          • C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

                                            Filesize

                                            238B

                                            MD5

                                            da6422abc06418cf12e1b62fc870bcd3

                                            SHA1

                                            c337a0fe47d8956c0fee01079cb7721ba1457c18

                                            SHA256

                                            3b8137a5cf26cbe1c328abaddf5914f07cd84d7b9e1bf68592845e29ba3f67dd

                                            SHA512

                                            8fb03d2a4dee75de2f5a07ca9fafc5a36ad1b86916c3d2c5843a52417c69562f65be22c5083cc87e7e2ca1b32c6383137560f0fac7be3f132fc8d30e1dd905cd

                                          • C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

                                            Filesize

                                            238B

                                            MD5

                                            f3d77612855f84f1e58adcff4d7104da

                                            SHA1

                                            09675f60999ab4b85c660202d45d75f3db64fcc6

                                            SHA256

                                            b487475bd6a84a7f8682e022849d2a76f64249640885e62592e9a34d69b35aa0

                                            SHA512

                                            e4b0e2c51f8d91ef4d01a2a18a72d4a5cad7756285e32bf7bde0e6ccbe3324b5c964878540d63938ec63adbadc16c18e3cb996879c33b555467d02b8e05a5f53

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            96a67736d745bb3b1e2927bb0badb7b7

                                            SHA1

                                            e1728f6710ad7ffae95f4df5ba8533cd5aca7993

                                            SHA256

                                            5bc3619b1c833c865a8106cf50d97187f63fbede4e3e20a8dbbcebf0ba42352c

                                            SHA512

                                            864e3280a1af49582a782574845233e4fd998bf4c3e01b10860f12883220620abc2e3cf51a7d91ec880b264b2f226260172886bfc006660aea41402eb0e6cb45

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/828-17-0x0000000000570000-0x000000000057C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/828-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/828-15-0x0000000000470000-0x000000000047C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/828-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/828-13-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1600-253-0x0000000000270000-0x0000000000282000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1600-252-0x00000000000F0000-0x0000000000200000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2096-314-0x0000000000340000-0x0000000000352000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2096-313-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2148-64-0x000000001B540000-0x000000001B822000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2212-375-0x0000000000260000-0x0000000000272000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2212-374-0x0000000001390000-0x00000000014A0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2420-192-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2420-191-0x0000000001370000-0x0000000001480000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2476-65-0x00000000026E0000-0x00000000026E8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2576-59-0x0000000000F30000-0x0000000001040000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3040-553-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                            Filesize

                                            1.1MB