Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 21:08

General

  • Target

    JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe

  • Size

    1.3MB

  • MD5

    5c92ccdf6b284f1677d622b85ba6bf65

  • SHA1

    821929a0b3aea12b2ca60487254712d10f97e5d2

  • SHA256

    5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd

  • SHA512

    f036d0df48334dbe3920661eab4898158083820c79cb3722a0d7b1d5475a1120965ac26e82b287c5efda6303dbe13c0a68f380b84b1ad80b28253a981b669002

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:436
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4424
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3648
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3484
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4696
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2256
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4644
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2508
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3172
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4376
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\StartMenuExperienceHost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4664
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4728
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\OfficeClickToRun.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3716
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3748
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3480
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:904
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\upfc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3576
                • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                  "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5104
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3988
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:4040
                      • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                        "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3356
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2948
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:1128
                            • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                              "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1600
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
                                12⤵
                                  PID:4220
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:4968
                                    • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                      "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                      13⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4320
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
                                        14⤵
                                          PID:4936
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:4284
                                            • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                              "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                              15⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1140
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
                                                16⤵
                                                  PID:1808
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:4328
                                                    • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                      "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                      17⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1908
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
                                                        18⤵
                                                          PID:2736
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2324
                                                            • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                              "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                              19⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:640
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
                                                                20⤵
                                                                  PID:2068
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:5104
                                                                    • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                      "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                      21⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2180
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
                                                                        22⤵
                                                                          PID:2848
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:4568
                                                                            • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                              "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                              23⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1712
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
                                                                                24⤵
                                                                                  PID:3960
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:4492
                                                                                    • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                                      "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                                      25⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4984
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
                                                                                        26⤵
                                                                                          PID:5020
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:4032
                                                                                            • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                                              "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                                              27⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1804
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
                                                                                                28⤵
                                                                                                  PID:2448
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    29⤵
                                                                                                      PID:1448
                                                                                                    • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                                                      "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                                                      29⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3316
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
                                                                                                        30⤵
                                                                                                          PID:652
                                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                            31⤵
                                                                                                              PID:2816
                                                                                                            • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                                                              "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                                                              31⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Modifies registry class
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:3056
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
                                                                                                                32⤵
                                                                                                                  PID:1344
                                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                    33⤵
                                                                                                                      PID:3448
                                                                                                                    • C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe
                                                                                                                      "C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"
                                                                                                                      33⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:2428
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
                                                                                                                        34⤵
                                                                                                                          PID:4960
                                                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                            35⤵
                                                                                                                              PID:312
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:532
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3352
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3228
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2380
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2916
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:796
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3356
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3612
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4544
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhostw.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1336
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3960
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2220
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\Registry.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4200
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\My Documents\Registry.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3616
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\Registry.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2880
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4560
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3316
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:5112
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3340
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3744
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2580
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1140
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3988
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1588
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3228
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3780
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1132
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:796
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3356
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:5048
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4544
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1336
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1152
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2220
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4200
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3616
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1724
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1544
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4920
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\providercommon\sysmon.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1540
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1680
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1584
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1600
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1444
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4740
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2244
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2260
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3188
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\upfc.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:384
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3668
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4784

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          7f3c0ae41f0d9ae10a8985a2c327b8fb

                                                          SHA1

                                                          d58622bf6b5071beacf3b35bb505bde2000983e3

                                                          SHA256

                                                          519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                                          SHA512

                                                          8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          d85ba6ff808d9e5444a4b369f5bc2730

                                                          SHA1

                                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                                          SHA256

                                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                          SHA512

                                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          3bdf0f0bc4de32a6f32ecb8a32ba5df1

                                                          SHA1

                                                          900c6a905984e5e16f3efe01ce2b2cc725fc64f1

                                                          SHA256

                                                          c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

                                                          SHA512

                                                          680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          3c625954a51c4bbd8141206b00f6fc0a

                                                          SHA1

                                                          4128cb2f9d2984844e303e2e330e448334e5c273

                                                          SHA256

                                                          952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

                                                          SHA512

                                                          3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          be95052f298019b83e11336567f385fc

                                                          SHA1

                                                          556e6abda268afaeeec5e1ee65adc01660b70534

                                                          SHA256

                                                          ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

                                                          SHA512

                                                          233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          9405862a3b15dc34824f6a0e5f077f4f

                                                          SHA1

                                                          bbe0000e06be94fa61d6e223fb38b1289908723d

                                                          SHA256

                                                          0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

                                                          SHA512

                                                          fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          fe9b96bc4e29457b2d225a5412322a52

                                                          SHA1

                                                          551e29903e926b5d6c52a8f57cf10475ba790bd0

                                                          SHA256

                                                          e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

                                                          SHA512

                                                          ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          3fd1207fb34732237602c32614f8e7a5

                                                          SHA1

                                                          3c17778095da518c209e6854340c140cff556a50

                                                          SHA256

                                                          b89786113f914c4c6c44f0455750d167a760b375dc12c18a52054e71f0d24737

                                                          SHA512

                                                          54e7f41aa11b147d6734d1b2972c11dd6a4703be366dd9b26dbca14a9392205a4f19545c39db9807751468522c9e761fe7009bebf743e3ef852d7b79429ba482

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          8005014028d9df556f2fe7f3128360a3

                                                          SHA1

                                                          8dde6ebf12ce79eba432a8969ece767c1dba81d4

                                                          SHA256

                                                          9fe186d8304132169445fbecc53ee702080f9f8f701e2398516600ab0479c781

                                                          SHA512

                                                          7da99eae8113349b8f63d4a54586c6329165c41cdba0c2726880d4894b3a3b2f8d56a55e4016edc7d883cb8d8267555eb1c44f0e720668a433a92e343238ceed

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          77d622bb1a5b250869a3238b9bc1402b

                                                          SHA1

                                                          d47f4003c2554b9dfc4c16f22460b331886b191b

                                                          SHA256

                                                          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                          SHA512

                                                          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          2e907f77659a6601fcc408274894da2e

                                                          SHA1

                                                          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                          SHA256

                                                          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                          SHA512

                                                          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          59d97011e091004eaffb9816aa0b9abd

                                                          SHA1

                                                          1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                          SHA256

                                                          18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                          SHA512

                                                          d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                        • C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          cddce5b11c64922cd5cebd4f40cc4a25

                                                          SHA1

                                                          02a5497d95a5b30e3fea6961e8cbce803aec06ef

                                                          SHA256

                                                          1b3f95880dfefdde17d05403c677b23437b35253c08c40135050d5913c844dd2

                                                          SHA512

                                                          de9d1b269e9717f582290a6cee5f31603c9f621a2601e1df968f653639c22b560a0dd77641e412b1b8881188ed56b4d3ad4308f4bbf6e18f2af74b4bd195a160

                                                        • C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          e724e2a31b300d7d774d6d2239cbbbb8

                                                          SHA1

                                                          804c7dd28f9ae1f3ad8ecd16ac95ca17b350eefe

                                                          SHA256

                                                          1de6de27fa67d14bbb5428b9aac24133fd0b15fcf33823a9bd9d54740c18252e

                                                          SHA512

                                                          fdd2549fa94f95ceab9d778077adb41a0a594ebf90e8babd8ab109e9121b8de94b8c725596d5433674ad5a0a06ebfdcb1f9be5acc850ed2e4526de1ab02c16db

                                                        • C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          fa2f82647455450af82a250f6ec0bce6

                                                          SHA1

                                                          dfdd8db4acc994e5000704bbd526821774bd4228

                                                          SHA256

                                                          960bd937b9edf642417a0460b8d4837c8ffec6c1107e40bef2b881e7b48906fa

                                                          SHA512

                                                          8cfc7b2fa6efa17a8b78a8efd04b883821ba254733e3f4b270a753ca71ec5f921769dd1bd851f55aad90ef6c62eb06ab0fb71894a3a1fed8dd2377d0cf5db42e

                                                        • C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          218e822960618e42156dc624ddef139a

                                                          SHA1

                                                          8bae9ad41a057feedb627594062b4c38b2625616

                                                          SHA256

                                                          d98bfe4a82a12408b1d9e7691b207d274ffb9291b3ebc5100a0211fdb20df9ad

                                                          SHA512

                                                          2e6c2eefdc9ba1c34c8f82c23a03364d6c92e6f38dd460400e2b7e25a2dda39604919f9d32ca470a1eb1cf8013224eb2bd26c5a4bcfadea396ad955b3cf1e4fd

                                                        • C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          c3dc9128d1561e3d196e004a5aa45a1d

                                                          SHA1

                                                          bfec2880e9e637a7de9fe16c2ea6fd91c9c639ad

                                                          SHA256

                                                          17afea897915d139b7577d6c052e7eb895d9dfdcba0000aa7f2620435a3bd519

                                                          SHA512

                                                          2f61bc7038a09298585e999d711f445d33ecc79f4bd4aa556e81404bf2e8cfdf62ab9beefb6ba01aa5ad5eaf4bc4fc11414860f3479438e907334bf36a6eb9ef

                                                        • C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          cb9705a667cdf4965836e23861c12384

                                                          SHA1

                                                          58c05fd6520bd3867f011a2a1833f9b860925ed4

                                                          SHA256

                                                          0b512a688d60739387c721e56ad8f79cc7f7426e754d5ce11ced2b8e4f8bf69c

                                                          SHA512

                                                          23ff76d3abde15858a9085fd9f5119d1112e0284f10850d1789cfd00f8d79db69fced2dc267f16fc55e1ce4cc03657ca97eaee9bec589bbfe084650d88419731

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0n5bzxjo.3cb.ps1

                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        • C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat

                                                          Filesize

                                                          199B

                                                          MD5

                                                          ec68ce85e834540cddaeea95bb71ca2d

                                                          SHA1

                                                          9c451fd5061aedaf1c1de2cb98f1735a475d6175

                                                          SHA256

                                                          2b20a7ef347b13cdc03b428bafe9f6cc8fd8ccd6e87ff0c862bfd7ef457df4de

                                                          SHA512

                                                          c57a707eda4cff0394f009311d6c9249205bf7ef268cda42a36e09adb26f9dd052f246a975d0766da9ca211474a78c522e6bd321060e2f57b86ddb465eba31f2

                                                        • C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          3d4ad8c9c7371f2e6341417202efe664

                                                          SHA1

                                                          5fc2f626d4305cc3cd035c2e3d2050b14bd0dfd3

                                                          SHA256

                                                          0236c1740f3dd9dd17f8e2ef3c6d86e0220429666c4cf3bdc3d92d84cc9292ad

                                                          SHA512

                                                          d8b82f24da51e33d645c88e1bc3fc9f9f18ec2ba9541566508cd8424f0892b668362e728a60e3e430ee3240acd50d3170fa4451309a1440a6ab7392c909649da

                                                        • C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          c2efba154727e49dbae6c3ef5d953a87

                                                          SHA1

                                                          7b2b3aeabbdde23035c09af3ea25c173ff7e88a7

                                                          SHA256

                                                          7a5f8ec148df3eeec930149d65adc85dfaae4ee7fc73445d3cf73c7a44cac1d0

                                                          SHA512

                                                          84b50ce17a92d687c1f0e2940cd85343abcd641c8b24dd6d7cc173ff802ea0db4fac43fc488dd6768b9352a1e9089a5b67a365ff78614a0c4c15646b1b11ce87

                                                        • C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          3f6daa3d78b47dfcf495077d75389012

                                                          SHA1

                                                          8d90d384230fd26f1ff4cfae9acdd9d9952a69e8

                                                          SHA256

                                                          1c8b951c6070665eee73310637a8bdfaabe72938640031a9937892cfee1c0684

                                                          SHA512

                                                          82f6949b2c7434005b894d16bc3a9cb63739a63428e2aa0a9d70e3dfcfd7020abeebeeba5b455319d437c5d8a51670905b9b4a34c00f99ad5edcdc1e6ad38fc6

                                                        • C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          3a850c65dda4184215d9edd1cdae8ce5

                                                          SHA1

                                                          a18a078ceda51de78ff4aae37b50fd9e6c2a1971

                                                          SHA256

                                                          c6f2dae046c2682ba87b3095988b1152358f7e259711c0378cae6b598cc74863

                                                          SHA512

                                                          d64b101eeb0a631aa8ef4da0a38972f1eddda2c61e3080994c059011f928049e0947cb09cb6d82804d325cd854ba8eb12bf1f0f3b0f6e66eeeb06e3061a1edbe

                                                        • C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          6a9feba7f0b37e6545abefe5039d977b

                                                          SHA1

                                                          c12f2bd08b078daa85a58dae1ea1ad257e08724b

                                                          SHA256

                                                          f6c0f8d1f255f45f5815c67bd4084e9c401ba0471735b34c8c05cc81ac7d0978

                                                          SHA512

                                                          7af96d86d4a746a184f1a6dabc8592d2e8acc764bf3d13dc5dd2e5e43ee9a503e65a5428c0500fdfe42d1cc43905e275c4979380a8264a32f68d8f757475b1f3

                                                        • C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          3489348157e39ed1ffdb7d52e43ee788

                                                          SHA1

                                                          a859a8e37482bd05680ffbbf6b865e7d18d63b72

                                                          SHA256

                                                          a879f8cfd173316ff17a2db78d97f02ef7f94e631b7074dff93b3ed02ae785c3

                                                          SHA512

                                                          1a389a1d8f1cc1ba648fb21a328657be4d7577f19c400b0c3668911bf453bc727499742f659ac939c735196b61ce0a0ff3afcf1c310478ea7e3fdf41d6c76690

                                                        • C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          6b1335d69dddad44603e9d33c86941ee

                                                          SHA1

                                                          8a378941100f58e9ab547bd7ae763eaa150141de

                                                          SHA256

                                                          1bd6e9d1ff02bc5ce19e33f9888715399448e4aa4df7b4a70773d8dd8d2565c8

                                                          SHA512

                                                          339aa05597b5fb3effc8a20da71041d6390ac7b13b861dc55e188fd12d9d0d8a19ab1f972b3f83680771effa30d8c8aab411ee5b488d9c8cbeea3ceca41365fa

                                                        • C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

                                                          Filesize

                                                          222B

                                                          MD5

                                                          65316f52be1efced5bc8dc9caddfb6cd

                                                          SHA1

                                                          20f27dbb2c446b756bcff816249b57290d6041af

                                                          SHA256

                                                          09c5e2199cabe79fbbcaf71d1fb8e71f7c7d9bd65af86734e947313f61ecd8f0

                                                          SHA512

                                                          d7f31c42f5186a1bfcbeae1ff01efc5be3d0d04f32faf7c6aafb4a67d9585e3cfebbdba5be67aa5178c2911fee04a8de7028a31b873aee9e318c80cb08ad5d52

                                                        • C:\Users\Default User\9e8d7a4ca61bd9

                                                          Filesize

                                                          716B

                                                          MD5

                                                          e1380c6058b25aada0774c483bb56725

                                                          SHA1

                                                          34d44ae592af0ccced86ff1f89c370a1d32c7fd8

                                                          SHA256

                                                          c7bfa9f7ec2b5aa4a83d3453f93c3c53e59487be97b6d28828300fcf4bf9c458

                                                          SHA512

                                                          578d059997797b86b16983ada1b84788ce01c6541ae076af8798d12fb62b387688ed4a5f471edc6bea5b48180c000eca20b9d5ce00de3465c6ca5f57d5a4d09d

                                                        • C:\providercommon\1zu9dW.bat

                                                          Filesize

                                                          36B

                                                          MD5

                                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                                          SHA1

                                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                          SHA256

                                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                          SHA512

                                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                        • C:\providercommon\DllCommonsvc.exe

                                                          Filesize

                                                          1.0MB

                                                          MD5

                                                          bd31e94b4143c4ce49c17d3af46bcad0

                                                          SHA1

                                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                          SHA256

                                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                          SHA512

                                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                          Filesize

                                                          197B

                                                          MD5

                                                          8088241160261560a02c84025d107592

                                                          SHA1

                                                          083121f7027557570994c9fc211df61730455bb5

                                                          SHA256

                                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                          SHA512

                                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                        • memory/928-42-0x000002834B430000-0x000002834B452000-memory.dmp

                                                          Filesize

                                                          136KB

                                                        • memory/1712-338-0x000000001BCC0000-0x000000001BE69000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/1712-333-0x00000000009C0000-0x00000000009D2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1804-348-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1908-313-0x0000000000B00000-0x0000000000B12000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/2180-330-0x000000001C6A0000-0x000000001C849000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/2428-369-0x0000000000E00000-0x0000000000E12000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/3056-362-0x0000000000A80000-0x0000000000A92000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/3316-355-0x00000000018E0000-0x00000000018F2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/3356-290-0x000000001BF40000-0x000000001BFE1000-memory.dmp

                                                          Filesize

                                                          644KB

                                                        • memory/3356-291-0x000000001BFF0000-0x000000001C199000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/3764-13-0x0000000000880000-0x0000000000990000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/3764-14-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/3764-15-0x0000000002BB0000-0x0000000002BBC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/3764-12-0x00007FFD37AC3000-0x00007FFD37AC5000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/3764-17-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/3764-16-0x0000000002BC0000-0x0000000002BCC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/4320-300-0x0000000002980000-0x0000000002992000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/4984-341-0x0000000000F80000-0x0000000000F92000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/5104-213-0x0000000001460000-0x0000000001472000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/5104-283-0x000000001C7B0000-0x000000001C959000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/5104-282-0x000000001C700000-0x000000001C7A1000-memory.dmp

                                                          Filesize

                                                          644KB