Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 19:01

General

  • Target

    JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe

  • Size

    1.3MB

  • MD5

    ed531ca4591367805def6b98dd6d3e95

  • SHA1

    c854da71a1f5d77c00188e84b2bacb5245d3a11e

  • SHA256

    bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389

  • SHA512

    4b718fcf912211419418ede8aedd03fc5ea8a2118141dfc92d96c28096d013faf0f809888af25c1ef204cb6f44b06ca449ff10febe41078e5c3e2ad1605dd534

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 17 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3300
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\unsecapp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Savanna\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4164
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFSZlC6Oy0.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4644
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2672
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1900
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2356
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4760
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:3408
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:836
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4408
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2040
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3096
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5012
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\fontdrvhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1268
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2336
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4276
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2600
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5016
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:684
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UVwmmpoYNR.bat"
                  7⤵
                    PID:1528
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:32
                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2560
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
                          9⤵
                            PID:4952
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1300
                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                10⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3740
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
                                  11⤵
                                    PID:3252
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:4684
                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                        12⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:924
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
                                          13⤵
                                            PID:432
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:4164
                                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                14⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1152
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
                                                  15⤵
                                                    PID:2200
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2216
                                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                        16⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4572
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
                                                          17⤵
                                                            PID:3972
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:1604
                                                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                18⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2612
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
                                                                  19⤵
                                                                    PID:5072
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1920
                                                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                        20⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1536
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
                                                                          21⤵
                                                                            PID:2428
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:3724
                                                                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                22⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2900
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
                                                                                  23⤵
                                                                                    PID:2912
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:4640
                                                                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                        24⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3584
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
                                                                                          25⤵
                                                                                            PID:1808
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:3536
                                                                                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                                26⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1008
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
                                                                                                  27⤵
                                                                                                    PID:2652
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      28⤵
                                                                                                        PID:5100
                                                                                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                                        28⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:3572
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
                                                                                                          29⤵
                                                                                                            PID:4484
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              30⤵
                                                                                                                PID:2384
                                                                                                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                                                30⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:2992
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
                                                                                                                  31⤵
                                                                                                                    PID:4876
                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                      32⤵
                                                                                                                        PID:3168
                                                                                                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                                                        32⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Modifies registry class
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:408
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
                                                                                                                          33⤵
                                                                                                                            PID:1724
                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                              34⤵
                                                                                                                                PID:1732
                                                                                                                              • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                                                                "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                                                                34⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:5024
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
                                                                                                                                  35⤵
                                                                                                                                    PID:2624
                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                      36⤵
                                                                                                                                        PID:4220
                                                                                                                                      • C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe
                                                                                                                                        "C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"
                                                                                                                                        36⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:4760
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\providercommon\sysmon.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4748
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:5016
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4884
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:1388
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4568
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2192
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1624
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2232
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4612
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4488
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:5068
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4824
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1808
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1604
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:2688
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1148
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:2968
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4500
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\spoolsv.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2556
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1392
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:64
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3764
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:1032
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1780
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:1824
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1676
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4656
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3164
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1144
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2952
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3160
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:2928
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:5024
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1684
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4196
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4368
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:5080
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:1668
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4508
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2608
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4324
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:4904
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4116
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4952
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2196
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1596
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2792
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:2260
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4400
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:5036
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:864
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2096
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:720
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2428
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3228
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1604
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:3520
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\wininit.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4892
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2616
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2548
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:5068
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4484
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3548
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:764
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2228
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4468
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'" /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4612
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:808
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2212
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
                                                                  1⤵
                                                                    PID:3412
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4660
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4032
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4384
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4072
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2192
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3504
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4728
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4440

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Recovery\WindowsRE\ea1d8f6d871115

                                                                    Filesize

                                                                    984B

                                                                    MD5

                                                                    58067b362f0aae6683ff65f497e0a33b

                                                                    SHA1

                                                                    c7a9630351b495633e9543b80a41af1baec7c3ac

                                                                    SHA256

                                                                    f9934e6ec78dd9d51e331d838552e683c898f5f9486a2385ceccb7aafa1c0ed4

                                                                    SHA512

                                                                    f70fdfd153410545c4aecdd0cf69e99eff71059e37c51265a75520dd72a026a00d6f68fec2ca32176d3602895f3b31f7d6b3aa9d3ed1eacafe05d396e8bf2342

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    7f3c0ae41f0d9ae10a8985a2c327b8fb

                                                                    SHA1

                                                                    d58622bf6b5071beacf3b35bb505bde2000983e3

                                                                    SHA256

                                                                    519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                                                    SHA512

                                                                    8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                    SHA1

                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                    SHA256

                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                    SHA512

                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    baf55b95da4a601229647f25dad12878

                                                                    SHA1

                                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                                    SHA256

                                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                    SHA512

                                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    6d3e9c29fe44e90aae6ed30ccf799ca8

                                                                    SHA1

                                                                    c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                                    SHA256

                                                                    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                                    SHA512

                                                                    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                                    SHA1

                                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                                    SHA256

                                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                                    SHA512

                                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    bd5940f08d0be56e65e5f2aaf47c538e

                                                                    SHA1

                                                                    d7e31b87866e5e383ab5499da64aba50f03e8443

                                                                    SHA256

                                                                    2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                                    SHA512

                                                                    c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    a8e8360d573a4ff072dcc6f09d992c88

                                                                    SHA1

                                                                    3446774433ceaf0b400073914facab11b98b6807

                                                                    SHA256

                                                                    bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                                    SHA512

                                                                    4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    40fb442f970bccb233a739c0fcdb274c

                                                                    SHA1

                                                                    026efea8999825b25a7206801ef1d9879a3fd516

                                                                    SHA256

                                                                    b0639506a0b158d10b17721db15b9ccd1a530acc626c12b3c39eec2e058b371b

                                                                    SHA512

                                                                    3dcddd1310c9ef6e93412c2ce6fe08b71b97a69b3645c240af2264b14cbf2dc9c5cada5dbd05bd987d3af4d40952337aee43f70db68e3520cc40de9e54b62cbc

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    057e7742b25e65a341d1341da25b54a8

                                                                    SHA1

                                                                    65c874ac4f429a4172bdf89a73922e39873ecab6

                                                                    SHA256

                                                                    f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

                                                                    SHA512

                                                                    94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    e59140d6693b6a0f6a8617b45bdef9fe

                                                                    SHA1

                                                                    7157a22b2533d10fe8ed91d2c5782b44c79bbcde

                                                                    SHA256

                                                                    baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

                                                                    SHA512

                                                                    117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    150616521d490e160cd33b97d678d206

                                                                    SHA1

                                                                    71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

                                                                    SHA256

                                                                    94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

                                                                    SHA512

                                                                    7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    6d0c9c571a4975983ba8c545178f820f

                                                                    SHA1

                                                                    110386d8f4e1b5047cccd39ccdaa5919a731c9ad

                                                                    SHA256

                                                                    8020b2bb1306914da845e0726e686216af4e03510ce4ae31442f0d2faa320a42

                                                                    SHA512

                                                                    1ac5fee29f9c2dd8e89dae8302b4133dd92846d792d392f16d7b23f6cab03c83b5911c8786eceb7383e6c6ce14dc443e96920943245704344de6b2f42f9ab890

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    c65338524586fc00cf00e679a7d4a1f4

                                                                    SHA1

                                                                    62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae

                                                                    SHA256

                                                                    faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6

                                                                    SHA512

                                                                    c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

                                                                  • C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    53505d0f0e0576bb7969128b5d5e9d01

                                                                    SHA1

                                                                    6f17231ea573ab64bd8aacf021aa54c9d532edc5

                                                                    SHA256

                                                                    47e3141b25bf282dcafbe2299883a420897250bdf758f2d2de9e725d6edca5c9

                                                                    SHA512

                                                                    315fe2f4b20b53f5a468845e0b98ebf0f19e5bc71eb273415b1af8fbd10d1608eecd2b0d884719c59bde88128b6b7dba8a51b5679c97f5fe0f37270f2084c014

                                                                  • C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    453f46e82d1edb0e2a7177b99c5aa0f8

                                                                    SHA1

                                                                    05bbf695a0606d90fa5801b30ea6e499020cc112

                                                                    SHA256

                                                                    106b472af167bfc8218abdda38f7d712a9d64ed1318fca424de0d38dcb904108

                                                                    SHA512

                                                                    ff9e81d3b9ca170c2152767f67bce61440ca452d736f2ef03352c2fdd3a66c2372a7ba502e39f7527ed6c8b9b22957ca642794601551f6626e8aa253846e9439

                                                                  • C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    a9b1b534409ae700ed6ee497ccfccc6b

                                                                    SHA1

                                                                    471aaa6e2ae2c6303efc5be2d5379f0b6c8ab812

                                                                    SHA256

                                                                    dbb53fefdcdeb7cc03211cfce9e2cf56519fcc4b06ce09be0c9418fcd40dfe03

                                                                    SHA512

                                                                    bcd11502c599125242cfb1580a45dce6354152a01b12cd3a2cbd19e1e86b56c51044782c8ae99072756ee4240c8bb5a9d8b5ce66bf1aaf47e266d66eaa5a2ec7

                                                                  • C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    126af18d00b3de20639d3e2f72156831

                                                                    SHA1

                                                                    7e78f60667ff00b63098ca4842e87fc2b8fe1e8e

                                                                    SHA256

                                                                    4c41c7ba8a2029606723ae2d37e3f93ed9bf28e55388cf7bf3e01a6737663601

                                                                    SHA512

                                                                    dbb2c90ff950228defd8b7f4c497fd5cde72a3de34a75545069e0f4d076a211e87eaef186338e11dd9416f3bdfa9c12b552d4a5b54f796de09ae5a11e1c415bb

                                                                  • C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    efa67e1ab7508402e913b22eaa0c1aa4

                                                                    SHA1

                                                                    ffd733d8383565c4bdd4a8dcff12a04f6ba03280

                                                                    SHA256

                                                                    82910ccb79eddc2bd9c41efce5b9a2db437140005d2aa048443654e4be87e64f

                                                                    SHA512

                                                                    8ba91df8f4fe5e94ec64950a1fa55d1c7528aafaea3fceba733ef90055ea4fdb2eb558f21b7855c2d750f56cd951b2afb06ba0446d4ca5336d6fe248e845df25

                                                                  • C:\Users\Admin\AppData\Local\Temp\UVwmmpoYNR.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    129b61384ce3ac12c2c2f603711da8cf

                                                                    SHA1

                                                                    a9257614bc28ad0db5e2c37edd59584800118eb4

                                                                    SHA256

                                                                    66a1d04c44e95093044e3addef2414908a581c1775c52c92a4f9361e67ad2702

                                                                    SHA512

                                                                    5ab87d11747c3a475a2d9c97bb9dbcd5e451649f75796a9b80c6d345455a3e2a7a323437818f0b519be93b5997c8e0c4d3bc6a09b8eb8d2a1acb1c89ca32648f

                                                                  • C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    5b0d9960889be3f064b1ddfee02a65b1

                                                                    SHA1

                                                                    f48b57204411d185aa99f7683d7c3e4b3b2e9449

                                                                    SHA256

                                                                    d814d262d2324377f7657f6caf9de8d498b3c70fce61f9d3f30185c6c3994a7a

                                                                    SHA512

                                                                    99a8b2094d72f97c41e5c7ef24ab7ee3fc139e84627dbb1c78ef229c92fadef10d0ed381deea1b4ddc71b7eb32d849ec13da2d7551dbdc62af843f52c4359ad1

                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pldk5rbh.blp.ps1

                                                                    Filesize

                                                                    60B

                                                                    MD5

                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                    SHA1

                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                    SHA256

                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                    SHA512

                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                  • C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    f4e9af11cef17f24276968a69f47fc15

                                                                    SHA1

                                                                    8a6a1278eb47d6926f5f844232801ffa5ae78075

                                                                    SHA256

                                                                    b5cd70deab8c8b211199e4c64916617912486b7e3437227183449d9db5a74f8a

                                                                    SHA512

                                                                    280936820ce3938331cd5cdb9e4c16bec3abee8b64cc9cd315e0384697ffcea28d9aaaa657c0b9be8ce83c49b7ed2bd6c9c1987206bea6ec8ea5cd8a7a157199

                                                                  • C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    92ebb0a4806acdda29848a255ea838f6

                                                                    SHA1

                                                                    abd60612c335b0034076b4667b060b281de74a2d

                                                                    SHA256

                                                                    469fb8df1fffd4196718f62cb0afa77bc94e4bb2f4d27baddc9066334d8562ea

                                                                    SHA512

                                                                    8af5567d97101c02c53dca342fda90264deb48f44a4bee107082176e5636f09a0a20a1b48d4fff4988c6c90012aadef6fc6655cf6af07e1c0bf147381a1e89b7

                                                                  • C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    46a83e4220aa8dc272b7f1a08eda473d

                                                                    SHA1

                                                                    80313327a9086b57e3f8e99d14c64377145f2275

                                                                    SHA256

                                                                    21ae47e3443207b0ca7ee9faad8430de846407bbad8702911736252378ad4938

                                                                    SHA512

                                                                    e6549d997512bdc77c597bc30c48274aade34f8566f2b2801143952d8775a853a612b0cf90cbd513e0d8779ba478d4e0fd6ba6c42d19cc49a74d92bca0415f25

                                                                  • C:\Users\Admin\AppData\Local\Temp\nFSZlC6Oy0.bat

                                                                    Filesize

                                                                    199B

                                                                    MD5

                                                                    e4b0ca8d31bb2b1db6dffc79080cffb0

                                                                    SHA1

                                                                    149513e884429d6494342d2fc771a9a4245943c4

                                                                    SHA256

                                                                    a6133e8828905d2df64cc299dd675ab275ba2a01b41f86e1b4000b90742359f2

                                                                    SHA512

                                                                    347962503f73f0b27846c51e88f2cc442ba31a31b55ce702ab4b9e03b50122244eeed71ddef89a6708be6dc4ea2d8da183f030a0ba06d0bdde588ad27a2ede7b

                                                                  • C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    588d03f3f8b1a202a189ab2cf38cdb2b

                                                                    SHA1

                                                                    0c7b5ca3d566e5209b76418d01b8b1981ca653ea

                                                                    SHA256

                                                                    8fbfc06e1c485402ca7b10761d0f9225feed8c39e8be029bf57b677981446d23

                                                                    SHA512

                                                                    4d5c687c4d2877592c60f31e7edcca106b6e3a7eccee10c0f0d8b8f2a208824df0e6e22fbcfcfac1547698e784f4275da7e317c175c6755eaa86cace133ecc41

                                                                  • C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    ce3567191214981be53574a88b9a2f99

                                                                    SHA1

                                                                    79e3dbd88aa0dfd00168916ad1c207d07f9f063a

                                                                    SHA256

                                                                    3f55758431a1abfe032e585b73100801b7a022dac2e2e42272915aae2e796f2d

                                                                    SHA512

                                                                    7de75bfd8aeb04aa816d8df9f455a7988124245fc18072d12233a93353452ffc55f5cea99ecb3a2758523521bbfbf47ac8e48a9bc28225c35d64bfb5db71fb18

                                                                  • C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    4d393ea41d753a6a59cbbf4bf443814b

                                                                    SHA1

                                                                    01a0476ed45d632b7bfc0641fedc0c5eacd03fa7

                                                                    SHA256

                                                                    b94833fb17d6b1f50d687fd14436fb672455a7813a9d78c3ae24568dfeb7a369

                                                                    SHA512

                                                                    89c304868bebeddc710603e444cb211ec42a38e3c8f1b6e49c33f634ca24b3f167d39a633d5737126842f1a8c4c3fae8104e069ccb21b1ce0f25f2f6fdd1dd5e

                                                                  • C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

                                                                    Filesize

                                                                    227B

                                                                    MD5

                                                                    7aaf405fdee1afdffe9b22d17a60df68

                                                                    SHA1

                                                                    88f21f2472a4ea12ea597fc45b4ee55f82d25d14

                                                                    SHA256

                                                                    5fd16778aa0d2bbb1ae3f584f38fdbd57397b7c245503d7e705b724ad1aacdc4

                                                                    SHA512

                                                                    81b163895f80696e0e30eea5ceb71d3e15f5cf48570f38f7f6efd509fe237d715e78909a1ceb70caaf8626eb1e841bddf857b563f967261400ea88c1937b637c

                                                                  • C:\providercommon\1zu9dW.bat

                                                                    Filesize

                                                                    36B

                                                                    MD5

                                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                                    SHA1

                                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                                    SHA256

                                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                                    SHA512

                                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                                  • C:\providercommon\DllCommonsvc.exe

                                                                    Filesize

                                                                    1.0MB

                                                                    MD5

                                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                                    SHA1

                                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                                    SHA256

                                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                                    SHA512

                                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                                    Filesize

                                                                    197B

                                                                    MD5

                                                                    8088241160261560a02c84025d107592

                                                                    SHA1

                                                                    083121f7027557570994c9fc211df61730455bb5

                                                                    SHA256

                                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                                    SHA512

                                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                                  • memory/2060-16-0x0000000003230000-0x000000000323C000-memory.dmp

                                                                    Filesize

                                                                    48KB

                                                                  • memory/2060-15-0x000000001BB10000-0x000000001BB1C000-memory.dmp

                                                                    Filesize

                                                                    48KB

                                                                  • memory/2060-14-0x0000000003220000-0x0000000003232000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                  • memory/2060-13-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

                                                                    Filesize

                                                                    1.1MB

                                                                  • memory/2060-12-0x00007FFCD39B3000-0x00007FFCD39B5000-memory.dmp

                                                                    Filesize

                                                                    8KB

                                                                  • memory/2060-17-0x000000001BB20000-0x000000001BB2C000-memory.dmp

                                                                    Filesize

                                                                    48KB

                                                                  • memory/2560-389-0x000000001C280000-0x000000001C3EA000-memory.dmp

                                                                    Filesize

                                                                    1.4MB

                                                                  • memory/2560-390-0x000000001C3F0000-0x000000001C491000-memory.dmp

                                                                    Filesize

                                                                    644KB

                                                                  • memory/2992-454-0x0000000001130000-0x0000000001142000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                  • memory/4936-47-0x000002664A210000-0x000002664A232000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                  • memory/5024-467-0x0000000002F00000-0x0000000002F12000-memory.dmp

                                                                    Filesize

                                                                    72KB