Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:30

General

  • Target

    JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe

  • Size

    1.3MB

  • MD5

    3f77e2241cdcc58863c4f163f54e9ddc

  • SHA1

    832240f2fa8d8af926425476f4eeca78080a58b2

  • SHA256

    b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644

  • SHA512

    592c9e1275d6738b6310ec1a45c1e52d04f2b7ba94ba5b66902ae2e81bcd6ad7e27dc05fcaf2d3e79b0db2e80bd6d464c0737fa0443c64452f349791171bb573

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1860
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S83eOrzA5b.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2856
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2020
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2736
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1548
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2040
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2392
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2216
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:320
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1304
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1872
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:624
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3036
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1748
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2184
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1932
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2588
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1788
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1128
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:832
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2480
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:112
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2764
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSDKEC6Vm9.bat"
                  7⤵
                    PID:2148
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2132
                      • C:\providercommon\WmiPrvSE.exe
                        "C:\providercommon\WmiPrvSE.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2460
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
                          9⤵
                            PID:2808
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2924
                              • C:\providercommon\WmiPrvSE.exe
                                "C:\providercommon\WmiPrvSE.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1292
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
                                  11⤵
                                    PID:2384
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:1560
                                      • C:\providercommon\WmiPrvSE.exe
                                        "C:\providercommon\WmiPrvSE.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2388
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
                                          13⤵
                                            PID:2696
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2452
                                              • C:\providercommon\WmiPrvSE.exe
                                                "C:\providercommon\WmiPrvSE.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3048
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
                                                  15⤵
                                                    PID:2844
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1712
                                                      • C:\providercommon\WmiPrvSE.exe
                                                        "C:\providercommon\WmiPrvSE.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2904
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
                                                          17⤵
                                                            PID:1892
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2144
                                                              • C:\providercommon\WmiPrvSE.exe
                                                                "C:\providercommon\WmiPrvSE.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1500
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
                                                                  19⤵
                                                                    PID:1236
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:3028
                                                                      • C:\providercommon\WmiPrvSE.exe
                                                                        "C:\providercommon\WmiPrvSE.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2964
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
                                                                          21⤵
                                                                            PID:2816
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1220
                                                                              • C:\providercommon\WmiPrvSE.exe
                                                                                "C:\providercommon\WmiPrvSE.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2196
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
                                                                                  23⤵
                                                                                    PID:2624
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2884
                                                                                      • C:\providercommon\WmiPrvSE.exe
                                                                                        "C:\providercommon\WmiPrvSE.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1052
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
                                                                                          25⤵
                                                                                            PID:1704
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:1984
                                                                                              • C:\providercommon\WmiPrvSE.exe
                                                                                                "C:\providercommon\WmiPrvSE.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2396
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
                                                                                                  27⤵
                                                                                                    PID:2544
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      28⤵
                                                                                                        PID:2836
                                                                                                      • C:\providercommon\WmiPrvSE.exe
                                                                                                        "C:\providercommon\WmiPrvSE.exe"
                                                                                                        28⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:864
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
                                                                                                          29⤵
                                                                                                            PID:2088
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              30⤵
                                                                                                                PID:1760
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2144
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2728
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3016
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2740
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2692
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2752
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2540
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2240
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1760
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2012
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2888
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3044
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1420
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2992
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2784
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1548
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1088
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3028
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2664
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:108
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1456
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2524
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2572
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2244
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2644
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1920
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2284
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1852
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2556
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2588
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\System.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:664
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:832
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2044
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2020
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2288
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1292
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2268
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1900
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1708
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:932
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2480
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2300
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3064
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:556
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2348
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2560
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1360
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2288
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1448
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1856
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1292
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1788
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1708
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3060
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2292
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1432
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1516
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2500
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2728
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2892
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2524
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2416
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2956
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2752
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2072
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      1⤵
                                                        PID:2488
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3012
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:884
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3040
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3020
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                          PID:2780
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1600
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
                                                          1⤵
                                                            PID:1720
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                              PID:2888
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                              1⤵
                                                                PID:864
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\smss.exe'" /f
                                                                1⤵
                                                                  PID:2400
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\smss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                    PID:1984
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\smss.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                      PID:2388
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
                                                                      1⤵
                                                                        PID:2824
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                          PID:2908
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
                                                                          1⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2876
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /f
                                                                          1⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2912
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
                                                                          1⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:444
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
                                                                          1⤵
                                                                            PID:788
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'" /f
                                                                            1⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2860
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1980
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1220
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f
                                                                            1⤵
                                                                              PID:2244
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                                                              1⤵
                                                                              • Scheduled Task/Job: Scheduled Task
                                                                              PID:1528
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                                                              1⤵
                                                                                PID:1576
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
                                                                                1⤵
                                                                                  PID:1320
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2136
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:912
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                                                                  1⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1920
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:700
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                    PID:2900
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'" /f
                                                                                    1⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:1860
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'" /rl HIGHEST /f
                                                                                    1⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:2276
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'" /rl HIGHEST /f
                                                                                    1⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:2168
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
                                                                                    1⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:2732
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                                                    1⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:2220
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                                                    1⤵
                                                                                      PID:1544

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v15

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads

                                                                                    • C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e

                                                                                      Filesize

                                                                                      136B

                                                                                      MD5

                                                                                      1eeae4516291ab413655c94f93adffd7

                                                                                      SHA1

                                                                                      fe772a84d41050f9118e81a7298f72da740346dc

                                                                                      SHA256

                                                                                      8b74030ec6b73eada014751a78c16d033e9b9dcbaa2fc3e9db5ed4b1696402e7

                                                                                      SHA512

                                                                                      0cc881a78943438eed63875cad21f170f460200aef73e2d4e60134c47bf55a1c2f1dce9737a2dcbcc95d64fb789fa58a3218b05c7a8c8a7f07ebeefae14dde7a

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                      Filesize

                                                                                      342B

                                                                                      MD5

                                                                                      5e1afa321792990d51d4696b1abefea1

                                                                                      SHA1

                                                                                      4037a99b76abb566e377a2f6913333c9b59e0e51

                                                                                      SHA256

                                                                                      cc8f89eb489e3dbbb522e66ed8285faf03f6b7cb198c143920225dc60280be99

                                                                                      SHA512

                                                                                      35d15d80a6cf2ed2f3c61f828c32b075bec39537aa57b88c3e330568ada7095e41a1268e52780108204dab575dbc62ed430dd1c33f6ca15629cb1c6432f6d9a2

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                      Filesize

                                                                                      342B

                                                                                      MD5

                                                                                      6b1d2f818e2687a6744774868b057ad5

                                                                                      SHA1

                                                                                      0b64672c0f123d5e707a873091f0634a509517d4

                                                                                      SHA256

                                                                                      fa6b6562f5b666ea73bc8dbd762bfbdf38a2286efe0a3cf8416f70f8a8acfc66

                                                                                      SHA512

                                                                                      70525428773b40be892074c904065c74ca348293266ee9ec47ecab2116641d6a9b447d3e12c8fc5ac2b3da9e813c3bd6a9c05869cb874d36edbb8d767c4766d6

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                      Filesize

                                                                                      342B

                                                                                      MD5

                                                                                      6dd3154c6004b7161a06316432e57e36

                                                                                      SHA1

                                                                                      c1bc86a547b1e3529e8cf5595ccebacea825c32a

                                                                                      SHA256

                                                                                      2639b1037e8d18ff6fc529b7d97ced6caaa9b61920d3428da4035a00af582a6c

                                                                                      SHA512

                                                                                      66dc98be4d8195e10bdafa012414a484c9c1c4c74383a6dc11084cb1b0ca9a72c3adf87994f2c8870653da5f6e7310248b528cf3bbf2479955a66a3d30d80c22

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                      Filesize

                                                                                      342B

                                                                                      MD5

                                                                                      170168af17050d6132f771708653b8c6

                                                                                      SHA1

                                                                                      b0d1f3181b5d4aff9d404a9ace62f63083eeb992

                                                                                      SHA256

                                                                                      5485ae13f76176af74db23fd6b21e7241a73ed17e74e66d3e24a874d247f73ce

                                                                                      SHA512

                                                                                      8e832ec9186279c2b37eee7cbbb90c7aa3a43c1870ccc4194d4db5b34b6a012b471eefdb8cbefecacde24e0b2f861b4d2bd6f6d96eb6536b4ff395818cdc5ab4

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                      Filesize

                                                                                      342B

                                                                                      MD5

                                                                                      dc552dac5621604a404e7f8c064c451a

                                                                                      SHA1

                                                                                      481975bedc77a018d3c0b2302a179472db0ae59e

                                                                                      SHA256

                                                                                      2d40d3985c1f3928977e24a44fbc60108b1069a08df5008d7746d451575af712

                                                                                      SHA512

                                                                                      898b7e1bd4b907ab8a90239710be51c37fd679cfef1d4380e1a5073f75de7200690ad6535e0b3527a055e380c519665606bbf054811560b244336fbaf9da196b

                                                                                    • C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      68e5356d3a1928302d1e413eee8e6a55

                                                                                      SHA1

                                                                                      b73697f7b0b297e23d02b150174783535b31d596

                                                                                      SHA256

                                                                                      d296baa01e4d64148614655679348b76f896754b618baff7c2aec3cb29bafb70

                                                                                      SHA512

                                                                                      f031b13249a0d2d9992f29b1e33d54942b8aa28d0bfd2b603bc2fd860d5b47be02580c612e7a262c20112575dfc986634fec1adf8dc1fa2f650100563fe3f4ae

                                                                                    • C:\Users\Admin\AppData\Local\Temp\CabDE8.tmp

                                                                                      Filesize

                                                                                      70KB

                                                                                      MD5

                                                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                      SHA1

                                                                                      1723be06719828dda65ad804298d0431f6aff976

                                                                                      SHA256

                                                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                      SHA512

                                                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                    • C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      ca47d17d25a15eb609cb706c8cbe9293

                                                                                      SHA1

                                                                                      1a11a5862803119dfadec63a234dc6a2061552cc

                                                                                      SHA256

                                                                                      03d14de990214f2ac6c7d5bb02504dd18721e6b03a01b2bddbb9f3977efbeb11

                                                                                      SHA512

                                                                                      98c0d9aa7940d25d0dccd15c472f68d4279d3dd7d35a9caa43f584bf88e2308ff963d7b68001d8d91201b2d9dcbbea8738e9654aeb524b3721f32798388e6dd7

                                                                                    • C:\Users\Admin\AppData\Local\Temp\S83eOrzA5b.bat

                                                                                      Filesize

                                                                                      199B

                                                                                      MD5

                                                                                      213ce7a4f7bd85fb8527696b55e8bdf4

                                                                                      SHA1

                                                                                      6b8180c9e1fe595a85ce81617722f542ff28e6a8

                                                                                      SHA256

                                                                                      5e4bbb05f2e12ec2efe52138ed8f7c5c4919beff5772966920f0db2747dbaece

                                                                                      SHA512

                                                                                      e1c9480778b1115475945222af05acee4c1c805c5e481d974af8e2839bdbc9b071fa1d5b9c1ae9173319ec8047b255df8f4bac6641ed9154ef5f10f3b4c41775

                                                                                    • C:\Users\Admin\AppData\Local\Temp\TarE0A.tmp

                                                                                      Filesize

                                                                                      181KB

                                                                                      MD5

                                                                                      4ea6026cf93ec6338144661bf1202cd1

                                                                                      SHA1

                                                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                      SHA256

                                                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                      SHA512

                                                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                    • C:\Users\Admin\AppData\Local\Temp\eSDKEC6Vm9.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      7d4a7dca1daa17ff2f1260a8d415fec5

                                                                                      SHA1

                                                                                      44924532df4114bbfa46d1f5ee3de6872bba924a

                                                                                      SHA256

                                                                                      4edfb016487f8abaaafc399ebf4c77534f2f22bc12ed94cb5f1be5d9f407c933

                                                                                      SHA512

                                                                                      6b73f1f56698186c2fba4d6ca826426b6b360853bb51086774da757172b56c21c0e0d87b9450b5a2eadcb457549333bc2128803c6e468a029ce5d71bcfdfc443

                                                                                    • C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      8f07a64f736efb2d9f6c517738cc89a3

                                                                                      SHA1

                                                                                      0f05a914395e2f407a80f6287e9926d8c61af675

                                                                                      SHA256

                                                                                      7a6df224d8afacbf19ec63a7e440f318df79f61c0b8f3657d5cb594124ceadca

                                                                                      SHA512

                                                                                      9ec35007c726eed03d63016021b82d89d0226b38f14d5a093e045bcf17e7ac8313d21a3f5262b1303aa50d2e101cb2996efd8a6652e761fd88c56414fc6e4ddf

                                                                                    • C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      ded2b3b98279d5553179ea244a39c50a

                                                                                      SHA1

                                                                                      f8a08a2612782637139001f21b73833593b1ed04

                                                                                      SHA256

                                                                                      b090641d52d9ba0ab03efbd1e2fd71d5d91a784e2875c728f035f01d9f58ed20

                                                                                      SHA512

                                                                                      c6327dbb6339ca03d8c7abe1ef32f8c96328fe9097204abab79cbb05282ad555d22dd7fc0210333ee3e747db7a48f6c31af358899c5b43c6e1a4b12dbbc6071a

                                                                                    • C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      7ee5d9b01b2862c481d0d2fea879c0ae

                                                                                      SHA1

                                                                                      189a4e7f82ac78623aa67d4e730d67fef12c0335

                                                                                      SHA256

                                                                                      afc9fe8e66e563d96847dcc07af0a4aa9a7c285ef832155ba38667f08b2133f9

                                                                                      SHA512

                                                                                      cb1197d96b104ea1a10c5311b8d048dba225b9ca4aed698f3d8433ad097dae22c8b3a24aa226921570fb513e1f1a8b5651df55686a4820d3680bce50944dc057

                                                                                    • C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

                                                                                      Filesize

                                                                                      195B

                                                                                      MD5

                                                                                      a06cb7f6a740e70f499e86605813df77

                                                                                      SHA1

                                                                                      0d5ec50d49fcf1553cba85eacc71929809af919e

                                                                                      SHA256

                                                                                      fbb3785f79f98962fcd090c090921df91f7455a4e2a548dd45962e32b4c1a6ad

                                                                                      SHA512

                                                                                      a91efb8c78bdc059a6a88ec4704157fd91e2cb5f9ff26f696686753a96312e2a2b863df75ec898321d23f1721d181d4b9290cfcfeef92de809e19f9b3f1054a7

                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                      Filesize

                                                                                      7KB

                                                                                      MD5

                                                                                      bae60e69dd0e3dfbc9ff74ccdaebc845

                                                                                      SHA1

                                                                                      e63309b1dbcde0b6f71e7b1250ddfb122f90d4f6

                                                                                      SHA256

                                                                                      f36a25fe8d4a419fb79411bdf77a3aa34640b3d927dfa43ee9435c3e7c7ac45c

                                                                                      SHA512

                                                                                      f16008c1a32b4ca4235ac4e63e8da84a755b5d174ccc68519ad9074878cbddc092542cdb2337a3e45837d4f9e3175299f450f363727a0679cb51da8d4a9d298b

                                                                                    • C:\providercommon\1zu9dW.bat

                                                                                      Filesize

                                                                                      36B

                                                                                      MD5

                                                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                                                      SHA1

                                                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                                                      SHA256

                                                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                                                      SHA512

                                                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                                                      Filesize

                                                                                      197B

                                                                                      MD5

                                                                                      8088241160261560a02c84025d107592

                                                                                      SHA1

                                                                                      083121f7027557570994c9fc211df61730455bb5

                                                                                      SHA256

                                                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                                                      SHA512

                                                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                                                    • \providercommon\DllCommonsvc.exe

                                                                                      Filesize

                                                                                      1.0MB

                                                                                      MD5

                                                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                                                      SHA1

                                                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                                                      SHA256

                                                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                                                      SHA512

                                                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                                                    • memory/864-855-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                                                                      Filesize

                                                                                      1.1MB

                                                                                    • memory/1292-334-0x00000000013B0000-0x00000000014C0000-memory.dmp

                                                                                      Filesize

                                                                                      1.1MB

                                                                                    • memory/1548-180-0x0000000001E60000-0x0000000001E68000-memory.dmp

                                                                                      Filesize

                                                                                      32KB

                                                                                    • memory/1580-67-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                                      Filesize

                                                                                      2.9MB

                                                                                    • memory/1580-68-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

                                                                                      Filesize

                                                                                      32KB

                                                                                    • memory/2020-124-0x0000000000150000-0x0000000000162000-memory.dmp

                                                                                      Filesize

                                                                                      72KB

                                                                                    • memory/2124-17-0x00000000005C0000-0x00000000005CC000-memory.dmp

                                                                                      Filesize

                                                                                      48KB

                                                                                    • memory/2124-16-0x0000000000560000-0x000000000056C000-memory.dmp

                                                                                      Filesize

                                                                                      48KB

                                                                                    • memory/2124-15-0x0000000000550000-0x000000000055C000-memory.dmp

                                                                                      Filesize

                                                                                      48KB

                                                                                    • memory/2124-14-0x0000000000430000-0x0000000000442000-memory.dmp

                                                                                      Filesize

                                                                                      72KB

                                                                                    • memory/2124-13-0x0000000000F80000-0x0000000001090000-memory.dmp

                                                                                      Filesize

                                                                                      1.1MB

                                                                                    • memory/2460-275-0x0000000001350000-0x0000000001460000-memory.dmp

                                                                                      Filesize

                                                                                      1.1MB

                                                                                    • memory/2736-179-0x000000001B670000-0x000000001B952000-memory.dmp

                                                                                      Filesize

                                                                                      2.9MB

                                                                                    • memory/3048-453-0x0000000000340000-0x0000000000352000-memory.dmp

                                                                                      Filesize

                                                                                      72KB