Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 20:53

General

  • Target

    JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe

  • Size

    1.3MB

  • MD5

    5b1573fb9f71a41b9399e10eebc73cf1

  • SHA1

    ae3caf1f1a3173807f818bfdeedf131986793d67

  • SHA256

    ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218

  • SHA512

    6943124bf3ee815c861e2bcdc190f2e8e8afe26dcd29723e65a1d17e5749a66f9f1ef3e0b1384ffcde5f7ff91aafbca21d1fa9eca2b86690050b9361309e519e

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3076
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
            "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:756
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3508
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:5612
                • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                  "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5844
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5004
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:5948
                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2024
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
                          10⤵
                            PID:2840
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:5932
                              • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                11⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5992
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
                                  12⤵
                                    PID:4696
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:5184
                                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5904
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
                                          14⤵
                                            PID:2360
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:5944
                                              • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                15⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5124
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
                                                  16⤵
                                                    PID:3032
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:1648
                                                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                        17⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6056
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
                                                          18⤵
                                                            PID:2920
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:3992
                                                              • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                19⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5196
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
                                                                  20⤵
                                                                    PID:4224
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:208
                                                                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                        21⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5668
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
                                                                          22⤵
                                                                            PID:4892
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:4916
                                                                              • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                                "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                                23⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3404
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
                                                                                  24⤵
                                                                                    PID:5844
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:1632
                                                                                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                                        25⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4372
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
                                                                                          26⤵
                                                                                            PID:5076
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              27⤵
                                                                                                PID:5892
                                                                                              • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                                                "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                                                27⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2736
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
                                                                                                  28⤵
                                                                                                    PID:1952
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      29⤵
                                                                                                        PID:5740
                                                                                                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                                                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                                                        29⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:6004
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
                                                                                                          30⤵
                                                                                                            PID:3408
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              31⤵
                                                                                                                PID:3288
                                                                                                              • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe
                                                                                                                "C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe"
                                                                                                                31⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:4952
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4608
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1428
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2452
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4152
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4592
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:5056
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:660
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2084
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3708
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:756
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4848
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3596
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1148
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4996
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1892
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3828
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3348
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2156
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2860
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1384
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1124
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3136
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:344
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3324
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2680
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3352
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1572
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4636
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:740
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2396
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:804
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4240
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3956
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhostw.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4876
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3604
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:536
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4548
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2488
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4924
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\sysmon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4348
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Application Data\sysmon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:928
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\sysmon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:64
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1944
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1432
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4084
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2580
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4952
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:5068
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2372
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4804
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4680
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:744
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4060
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3436
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4112
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:552
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2864

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\WindowsPowerShell\Configuration\SearchApp.exe

                                                    Filesize

                                                    803KB

                                                    MD5

                                                    543fce7790fb4205f805e2e048cc9784

                                                    SHA1

                                                    e07988591933b28652c19c21b116184d9f9f4e36

                                                    SHA256

                                                    5fb81e664603b92a15f43b2b744a8d66cd943820c66368cf5adf69e59e89ff32

                                                    SHA512

                                                    683f035503ca482194080031e07fb6ce2e8f9a716159ed97fde3aa03d85356513d0d47228ecaa8d8ee143df28a725fea0c16088e656d94e2e57acc299740c504

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    baf55b95da4a601229647f25dad12878

                                                    SHA1

                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                    SHA256

                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                    SHA512

                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    044918c9da2668f4cf9fe40a413307c2

                                                    SHA1

                                                    6fad3e20fe457daed212725356a6dd7729a84dd8

                                                    SHA256

                                                    80a6102676f0311b37c57f3ebd8d18a138c27a44c7e44e8089f18e0bd988dc5b

                                                    SHA512

                                                    bebba48542e75e48eb25806a923eda6676584a816b54c5236cbd56deae0a3ac49bce16187f231c8fd36702009544360cccb79f6b1ac4b926e5af669bcb341c49

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                    SHA1

                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                    SHA256

                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                    SHA512

                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    5f0ddc7f3691c81ee14d17b419ba220d

                                                    SHA1

                                                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                                    SHA256

                                                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                                    SHA512

                                                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    e243a38635ff9a06c87c2a61a2200656

                                                    SHA1

                                                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                    SHA256

                                                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                    SHA512

                                                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    3a6bad9528f8e23fb5c77fbd81fa28e8

                                                    SHA1

                                                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                    SHA256

                                                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                    SHA512

                                                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                  • C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    5ccdd75d852fd4e52e8fc4640f2a5114

                                                    SHA1

                                                    492f2a51c45411656ba531555b6dceacbebd6bc3

                                                    SHA256

                                                    77d81302dc56ccf35ba2f106d579fec56bed096c6f34d0d065102d6a245d92c4

                                                    SHA512

                                                    41594bb4598382aa100e1c94c6c4339748c67bb2282d70371435d89bbd95527716ee9ef384801aaefcb8fe11ba0edb92f9836736b9f30ea1aa4c1202dff93929

                                                  • C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    18d6a384e57d48401d5b7fb17575fa35

                                                    SHA1

                                                    4ac30ff401144e3b3ec3ec88065114312baac300

                                                    SHA256

                                                    d24fa0ae842e043402a547124677dcde284386fa7081e7966dae9ae0862641b0

                                                    SHA512

                                                    1de63f4b9128d72bc3bbf130b09eb786249b85fbca1b7949d295bc74b7646d337d18fc7c336435d007d72f91ca06f597c8a88312eaa4288cfea0ae85fab797f2

                                                  • C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    7fc5c9e551d9cc56f71494af68c60deb

                                                    SHA1

                                                    853e93a7daa8154d1fbc6d76ddbb976edc393900

                                                    SHA256

                                                    ed718f0a2af809bea03ed495fa19c3a6d8ba42bc0efbc9ca18edd3fb1c4438b3

                                                    SHA512

                                                    78563bebce5f05b7baa019de03b667ce2ff3c4a58d4688b499a48529920619d8032a10e456280a23701e06deff61e5e6a3136b11cd286aeecbcd773b2fb2a53e

                                                  • C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    3837c6775d61ac1a4a44614e94068a1a

                                                    SHA1

                                                    82f5a817da43199540a4827a63e61d59a967805e

                                                    SHA256

                                                    5d1159af64abb88ca75acd4aaa6997e5f4c31fe42eb508e1b6de696f5438441a

                                                    SHA512

                                                    8fbdf154d4cf5b6606cc3096392a8f189c812f77e4b3c4fd8ff1a3b2569971a73629124bca56294d1f1470cc4557c3941cf14717e04d7da91f28eebfcc0011b7

                                                  • C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    76ce74f8c682bfd2706cdb6c2fd64213

                                                    SHA1

                                                    2d525b2872d2ef281f89627ca618866f513bef48

                                                    SHA256

                                                    7a353159cb2a89a53b037ae8ec5f2ac3bf9f24341256c8e6976ee7dd5afcfbae

                                                    SHA512

                                                    97a774f6d71d3c2a2efcd49d743f8cbb2573544cd22a85cb656142926057e2fd4d0a15ece89572f5412e627d30023808b9b9fd78c147fe9e8e814552095e90b7

                                                  • C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    093bebdfd447433da32226c8435d67c3

                                                    SHA1

                                                    8cc1509dfb0e1d879ac784ca838aed7ef20d6957

                                                    SHA256

                                                    e8874c7b4cb1517ba42401de7f75e88b8fbdcd7aabda82dda41e15c8efab48b2

                                                    SHA512

                                                    b33b90ae183b18cad6fda1d3d0b0a80e00992c2b61420395f44a9074dc609311d344998a8d604e7c173605b31043a91a33933d84498dfd9c50c17e70a7b52e70

                                                  • C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    63b56b130ab2f96b0077b34b07ff8f00

                                                    SHA1

                                                    d8f36cbe29cd7678914140eb90a9bdb2c7f5c2ac

                                                    SHA256

                                                    4b073a18cc8c58cda24c1accd03c0ec827e00b83efe8e76d69b18035b1da06db

                                                    SHA512

                                                    f69e3ae358d1cbfdc70268e854ac4b60eda3238dcce1a9deb750f048744eba95accf6a667ce7a1e35e771bdb3beb788b258c950ddc5a5610087b9311e8926091

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oofi21kz.sop.ps1

                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  • C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    4a96e118dd987d8cd06a429cb362a29e

                                                    SHA1

                                                    f807ac1655774abfb4e1d02611d037730a718953

                                                    SHA256

                                                    6651f18841ffb024037fa5a12481658182d906aee4407d77e80bb9ae38c24207

                                                    SHA512

                                                    30cda0019bc03db24c7a5b698963de8fb65a279ce2b8f45d33c04279b397f4c6078962ca8723dcacd705b7c904b696f048a7a1bfbc30d9ddde3e95ef55751d64

                                                  • C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    460be32d19433a94e3d58397352e5c79

                                                    SHA1

                                                    a6a0dafd64c26fbc7992e1c4be6db490ad2b6180

                                                    SHA256

                                                    ca09f10772f8585c52b47db1ff48f31c597448f8f84b3c049eec50bfba9c52c8

                                                    SHA512

                                                    dc64632f044807f98e73c33048518ee578f03be4ef8d04050402d683121a192089ed64c1c44e77f0e6194c26be289aaa385cb1e45c30bf6587baee5a7f2c6e11

                                                  • C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    0b15ca8b473b4dc583859b51ddeacb44

                                                    SHA1

                                                    b96329f0d14cc9a04dd17a09e0e0a5a0f66db7fb

                                                    SHA256

                                                    0e943832bcb62fb0ed1e1386238a9d27f975469f690972942a1c6e9c51ba8ec3

                                                    SHA512

                                                    687ebc6e2d5ad419654e51521abdfa3ab94bd7e8467f4c96dbaacddd3d1818c6923cfea98fa82461a054c516084f28afed043b23e3ebd45e8620feb101b16467

                                                  • C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    4c3dea8084453dae44175abf1b78d784

                                                    SHA1

                                                    ba46c17d7a9787cc85e770349730bce240c40440

                                                    SHA256

                                                    e51122aa1e45e441a2547c29a9c4afa03337548bfab5c79a9485eac4a5469b21

                                                    SHA512

                                                    3b6c0c1093619dcc04cdd0073de2eca108dfc16ed85afbee58ad91c5002719dab31a0b51bb2b53174032d400abd679ffc9c1a34cd45b52eb0411d1ce7dd63abf

                                                  • C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    1961bbda837c51683e73bc3ac2f39c4a

                                                    SHA1

                                                    9a21d7a05b8fbbe2f27457453e51ba261564adc3

                                                    SHA256

                                                    dfd30c355a80cf84372a7361f68a81eb015c052883f63059f5398cb77aa14af0

                                                    SHA512

                                                    e2e5a5bbe72b919bacef165f5b4bae74c6f3f2299875cd528c6c38dc3a5691fb838973b8da2f681a87408140f0d06d36cd0bde03eb990058ed87b9eb206289ee

                                                  • C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

                                                    Filesize

                                                    233B

                                                    MD5

                                                    01734566c58401a88f0e4585d8edfa68

                                                    SHA1

                                                    56836de15ea6f7d7b90b0e58957447f88a92ecd0

                                                    SHA256

                                                    d9e96c904a91070075bba17368a293f20e0493dbed3052c79d31b8eeb7368492

                                                    SHA512

                                                    edfdc5a4d64954580154eac59422ebb8959fb2fb4289dc6717c8fd8b71b9c1e342e9967cd3f9621fd8480be12a4d4665d07b0202c12525a521482e9110118c27

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • memory/392-307-0x000001EDCD4E0000-0x000001EDCD6FC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/432-294-0x00000202FD940000-0x00000202FDB5C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/452-14-0x0000000002750000-0x0000000002762000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/452-12-0x00007FFDEEC63000-0x00007FFDEEC65000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/452-13-0x0000000000310000-0x0000000000420000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/452-16-0x0000000002770000-0x000000000277C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/452-17-0x0000000002780000-0x000000000278C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/452-15-0x0000000002760000-0x000000000276C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/756-314-0x000000001C060000-0x000000001C209000-memory.dmp

                                                    Filesize

                                                    1.7MB

                                                  • memory/1136-305-0x00000249BF6D0000-0x00000249BF8EC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/1380-295-0x000001D8C7BB0000-0x000001D8C7DCC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/1460-259-0x0000029999860000-0x0000029999A7C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/1940-300-0x000001A07AB00000-0x000001A07AD1C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/2024-325-0x0000000001420000-0x0000000001432000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2024-330-0x000000001C650000-0x000000001C7BA000-memory.dmp

                                                    Filesize

                                                    1.4MB

                                                  • memory/2024-331-0x000000001C7C0000-0x000000001C969000-memory.dmp

                                                    Filesize

                                                    1.7MB

                                                  • memory/2208-275-0x00000169EA8A0000-0x00000169EAABC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/2496-262-0x000001C6F36A0000-0x000001C6F38BC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/2772-278-0x00000251B88D0000-0x00000251B8AEC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/3032-308-0x000001BBC6620000-0x000001BBC683C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/3036-255-0x0000017DACE40000-0x0000017DAD05C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/3076-290-0x000001B4F7470000-0x000001B4F768C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/3192-291-0x0000016543ED0000-0x00000165440EC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/3404-370-0x0000000001220000-0x0000000001232000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/4156-297-0x000001DB6C600000-0x000001DB6C81C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/4164-265-0x000001F05CD90000-0x000001F05CFAC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/4372-377-0x0000000000D50000-0x0000000000D62000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/4544-258-0x0000022669230000-0x000002266944C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/4544-67-0x0000022650C80000-0x0000022650CA2000-memory.dmp

                                                    Filesize

                                                    136KB

                                                  • memory/4760-268-0x0000026EC8DC0000-0x0000026EC8FDC000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/4800-279-0x0000023EE1180000-0x0000023EE139C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/4880-306-0x0000020FFF180000-0x0000020FFF39C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/5052-296-0x000001B2CC800000-0x000001B2CCA1C000-memory.dmp

                                                    Filesize

                                                    2.1MB

                                                  • memory/5844-318-0x0000000001180000-0x0000000001192000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/6004-390-0x00000000024A0000-0x00000000024B2000-memory.dmp

                                                    Filesize

                                                    72KB