Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:07

General

  • Target

    JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe

  • Size

    1.3MB

  • MD5

    a06e55cfbc590b07f316d25f18d305f5

  • SHA1

    86830bcf1c150c58e43b784fc4f90eed9ffb24d3

  • SHA256

    fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec

  • SHA512

    2f0b90eea05c0d48bcd5f8ce89e9e2b341ce1e7c758a307fc380a9bbdd37d39482ad4b6f7d7b88c549d19474e232bc309ff2f4b07edafac0ed9edd7e12ee392a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4280
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2140
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TcWzmqm14M.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3176
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3628
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2560
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4088
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3860
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3180
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2588
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4196
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\WaaSMedicAgent.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4472
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:892
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2276
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4072
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4104
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1448
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\encapsulation\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4452
                • C:\Users\Public\Music\System.exe
                  "C:\Users\Public\Music\System.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2308
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
                    8⤵
                      PID:3460
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:4548
                        • C:\Users\Public\Music\System.exe
                          "C:\Users\Public\Music\System.exe"
                          9⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:676
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
                            10⤵
                              PID:4160
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:560
                                • C:\Users\Public\Music\System.exe
                                  "C:\Users\Public\Music\System.exe"
                                  11⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:444
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
                                    12⤵
                                      PID:1884
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2756
                                        • C:\Users\Public\Music\System.exe
                                          "C:\Users\Public\Music\System.exe"
                                          13⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:892
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
                                            14⤵
                                              PID:4028
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1440
                                                • C:\Users\Public\Music\System.exe
                                                  "C:\Users\Public\Music\System.exe"
                                                  15⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3340
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
                                                    16⤵
                                                      PID:1504
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2036
                                                        • C:\Users\Public\Music\System.exe
                                                          "C:\Users\Public\Music\System.exe"
                                                          17⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1492
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
                                                            18⤵
                                                              PID:4528
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:4732
                                                                • C:\Users\Public\Music\System.exe
                                                                  "C:\Users\Public\Music\System.exe"
                                                                  19⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1412
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
                                                                    20⤵
                                                                      PID:2332
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1776
                                                                        • C:\Users\Public\Music\System.exe
                                                                          "C:\Users\Public\Music\System.exe"
                                                                          21⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3576
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"
                                                                            22⤵
                                                                              PID:3616
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:4772
                                                                                • C:\Users\Public\Music\System.exe
                                                                                  "C:\Users\Public\Music\System.exe"
                                                                                  23⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2092
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
                                                                                    24⤵
                                                                                      PID:1748
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1440
                                                                                        • C:\Users\Public\Music\System.exe
                                                                                          "C:\Users\Public\Music\System.exe"
                                                                                          25⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2708
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
                                                                                            26⤵
                                                                                              PID:2780
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:4592
                                                                                                • C:\Users\Public\Music\System.exe
                                                                                                  "C:\Users\Public\Music\System.exe"
                                                                                                  27⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3476
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
                                                                                                    28⤵
                                                                                                      PID:2236
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        29⤵
                                                                                                          PID:2088
                                                                                                        • C:\Users\Public\Music\System.exe
                                                                                                          "C:\Users\Public\Music\System.exe"
                                                                                                          29⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4088
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
                                                                                                            30⤵
                                                                                                              PID:1572
                                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                31⤵
                                                                                                                  PID:2664
                                                                                                                • C:\Users\Public\Music\System.exe
                                                                                                                  "C:\Users\Public\Music\System.exe"
                                                                                                                  31⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Modifies registry class
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:3300
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
                                                                                                                    32⤵
                                                                                                                      PID:1968
                                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                        33⤵
                                                                                                                          PID:3180
                                                                                                                        • C:\Users\Public\Music\System.exe
                                                                                                                          "C:\Users\Public\Music\System.exe"
                                                                                                                          33⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2292
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
                                                                                                                            34⤵
                                                                                                                              PID:4476
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\providercommon\unsecapp.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1896
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4464
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1576
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1508
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2744
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3296
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\TextInputHost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2308
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\tracing\TextInputHost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4796
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\TextInputHost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1436
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2864
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2860
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4504
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\conhost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:824
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:3972
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:4168
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3448
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2952
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:2004
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:1460
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3220
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3572
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4332
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3488
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4028
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3556
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:2588
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:3300
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3992
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3632
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2964
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:676
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2624
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3732
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1980
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4632
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:564
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4928
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1144
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2416
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:3540
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1720
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1512
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4912
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4604
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1696
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4780
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1952
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2780
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2884
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3508
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2948
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\WaaSMedicAgent.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3524
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:3716
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4252
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3740
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4332
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2264
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\System.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4788
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3616
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1484
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:4464
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:3296
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2528
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:316
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4944
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4224
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Scenarios\csrss.exe'" /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1576
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\csrss.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1892
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Scenarios\csrss.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2804
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
                                                            1⤵
                                                              PID:4560
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                                              1⤵
                                                                PID:2964
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4236
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f
                                                                1⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2152
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                  PID:2140
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2664
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\appcompat\encapsulation\wininit.exe'" /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:424
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\wininit.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1536
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\encapsulation\wininit.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2092

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Recovery\WindowsRE\56085415360792

                                                                  Filesize

                                                                  995B

                                                                  MD5

                                                                  9a5e69edf97c71e52652285e1c0af690

                                                                  SHA1

                                                                  d9b3947d6983d992e0ba078f71063e33cef027f0

                                                                  SHA256

                                                                  8f161e4c212caf8922ff7be1f4ec7ab0796d11c90ee1c237c147c63eb80c2202

                                                                  SHA512

                                                                  769713471317ca106767d1f87a224377cfbde9ae19ca40c95e7b16d1266b4ec33a6c4c50cbb6a1b4cb112d08b5747b73f183de942393e825c803bebebc2d55b8

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  7f3c0ae41f0d9ae10a8985a2c327b8fb

                                                                  SHA1

                                                                  d58622bf6b5071beacf3b35bb505bde2000983e3

                                                                  SHA256

                                                                  519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                                                  SHA512

                                                                  8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  baf55b95da4a601229647f25dad12878

                                                                  SHA1

                                                                  abc16954ebfd213733c4493fc1910164d825cac8

                                                                  SHA256

                                                                  ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                  SHA512

                                                                  24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                                  SHA1

                                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                  SHA256

                                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                  SHA512

                                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  cadef9abd087803c630df65264a6c81c

                                                                  SHA1

                                                                  babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                  SHA256

                                                                  cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                  SHA512

                                                                  7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  59d97011e091004eaffb9816aa0b9abd

                                                                  SHA1

                                                                  1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                                  SHA256

                                                                  18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                                  SHA512

                                                                  d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  2e907f77659a6601fcc408274894da2e

                                                                  SHA1

                                                                  9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                  SHA256

                                                                  385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                  SHA512

                                                                  34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  bd5940f08d0be56e65e5f2aaf47c538e

                                                                  SHA1

                                                                  d7e31b87866e5e383ab5499da64aba50f03e8443

                                                                  SHA256

                                                                  2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                                  SHA512

                                                                  c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  a8e8360d573a4ff072dcc6f09d992c88

                                                                  SHA1

                                                                  3446774433ceaf0b400073914facab11b98b6807

                                                                  SHA256

                                                                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                                  SHA512

                                                                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  624e41a75a6dfd62039973dbbfdbe622

                                                                  SHA1

                                                                  f791e4cc85d6ae7039acef57a9025b173d7e963b

                                                                  SHA256

                                                                  ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1

                                                                  SHA512

                                                                  a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  6125559fbc17386521c1080f1784ba39

                                                                  SHA1

                                                                  d98edc173d6d1780547728e61531e9c4a7db960e

                                                                  SHA256

                                                                  e4239058bf974ac9b68e83a3e4bbd21f6064ab682755d6f024fb60eb1cfe9497

                                                                  SHA512

                                                                  bbc8c733d1482d3679de019d0f7c872525d204c9a9300f3787f975e4784a9d657d51def5416386c99a1c5244e929f28d8c861491f476cfaec3ecffba29763e15

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  b7189719e6df2c3dfc76197ec3f31f7a

                                                                  SHA1

                                                                  effd91412deadc87cc10ef76cdecc1e0b54b6d41

                                                                  SHA256

                                                                  1c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892

                                                                  SHA512

                                                                  2df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  150616521d490e160cd33b97d678d206

                                                                  SHA1

                                                                  71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

                                                                  SHA256

                                                                  94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

                                                                  SHA512

                                                                  7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  b801d886e417a9bf405b2f0092e04fe1

                                                                  SHA1

                                                                  fa99fefa2f49af240141692f78c8c28f04205389

                                                                  SHA256

                                                                  57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

                                                                  SHA512

                                                                  b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  3e242d3c4b39d344f66c494424020c61

                                                                  SHA1

                                                                  194e596f33d54482e7880e91dc05e0d247a46399

                                                                  SHA256

                                                                  f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

                                                                  SHA512

                                                                  27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  be95052f298019b83e11336567f385fc

                                                                  SHA1

                                                                  556e6abda268afaeeec5e1ee65adc01660b70534

                                                                  SHA256

                                                                  ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

                                                                  SHA512

                                                                  233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  8846686b7f2d146c0baa27459eedbd8d

                                                                  SHA1

                                                                  c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

                                                                  SHA256

                                                                  33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

                                                                  SHA512

                                                                  3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  c65338524586fc00cf00e679a7d4a1f4

                                                                  SHA1

                                                                  62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae

                                                                  SHA256

                                                                  faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6

                                                                  SHA512

                                                                  c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

                                                                • C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  f48ac4870e7f20032524918b241567c4

                                                                  SHA1

                                                                  4e28277cf107ae681a1112b171c6b176db7abd2d

                                                                  SHA256

                                                                  0c870557c4bc099e2a6f4a97c040147aafbd1e428615eb4f698e8df0f21d65fd

                                                                  SHA512

                                                                  51ab1e051437282efd254470e0cbb176e1c0a16aeb6d9acda986f6c8aa39f3771b2949a72ca7391907d491e9efc225563fba6edbe0fe6f9c0e10352d66be0047

                                                                • C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  ba3fb6e8139545a3bc77f8667fcf2022

                                                                  SHA1

                                                                  7c8e21ece612e19fe219c10c8b3d40b54c4ad518

                                                                  SHA256

                                                                  cfc934c08c1a484e7a9f2023bcad002221f5fc7a05698d04c46aeb5d2fb78bca

                                                                  SHA512

                                                                  36bd6530a425058c86f7cba23da63f2327eeb890ce258ce981d0d0887d3122d877efcf536004226f70775d5e442d7a758d67925ac22bb4ee322c27c7c68b8da8

                                                                • C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  4dc317d2a9aaf509259d9cbf42027091

                                                                  SHA1

                                                                  2b771c217450551cadc3f22452ae1962641d602e

                                                                  SHA256

                                                                  8464cd68b4423214ebdc886f85c38da64c764f2ecd10cfc3e8cbf89394159cef

                                                                  SHA512

                                                                  938417b60de09cc2aa38fed1bf3dced08d516785710ead56c47ce7ccb1db4dce655d68be3dc5eb1aa1e9bb4e73fa439838426837807c6907e15472aee3385016

                                                                • C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  7c57514d1f534639b7505ad49e4a727c

                                                                  SHA1

                                                                  043dbfbcb74ea866f3a1d1825c10f309c5c7a683

                                                                  SHA256

                                                                  ee94e28202cfa88ba4bcec01f20c9f9a83af3e1bf9795026581ae346ee7975eb

                                                                  SHA512

                                                                  475ac091ac49334915d2f776f377e2842ecc1059787f7bf409d4330991d9c54a332cb915b30b28d80b055fda7d19ef9e1d86d2bb37de24d9d7d2283a3324b54e

                                                                • C:\Users\Admin\AppData\Local\Temp\TcWzmqm14M.bat

                                                                  Filesize

                                                                  199B

                                                                  MD5

                                                                  fb35e8d199d16b168847818ce88f3726

                                                                  SHA1

                                                                  77be941729a83f1f05a36cfe3120a6222113d760

                                                                  SHA256

                                                                  16db9df966383953b4cb2fcb3ba2806bd6d59944da9f0b1dca298515ff6ca699

                                                                  SHA512

                                                                  336c7db512ae0b49c43c379b5b0a0958cf87160e9fe962b06c2e3d9ff4b3a6dc15d028dd3d855af6e3422c84c44df05c44a6f30c0d06e57190542bf51aced698

                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrvrjduy.oca.ps1

                                                                  Filesize

                                                                  60B

                                                                  MD5

                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                  SHA1

                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                  SHA256

                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                  SHA512

                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                • C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  f54e0abb43a9a09539a50181c9c960b8

                                                                  SHA1

                                                                  bb675e37bd1f816effaf23d2742b661b032dcea7

                                                                  SHA256

                                                                  f19ea34f67ea111c4954754f834c7faf7ca575237f56bc77d22976248eaeb871

                                                                  SHA512

                                                                  4c6734341b6cfc9884d1ec780b68929913f1e22b3122d2cba9187ca8b8d0012a3c857285d1e283b0d458e6258087ab76e30101a0ffc6cbe8e5f3c5aa898a5889

                                                                • C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  4f57730c6da116d2660027eab4730143

                                                                  SHA1

                                                                  4441774f0eb1cfb4d8e5ce1ddcdfb4b9c2edd6b1

                                                                  SHA256

                                                                  2fe985c8fc1d0db2bb0091ac3f724b1880e3c9ad034a640c626af0f7c0b79b67

                                                                  SHA512

                                                                  7892a934fef7c79d142f576d0672189ada98fcefdc493357aa179b2374b7dda064c8d6834f10d20c31ea1859b95ec8d3ea4066563c9879d75020e1fc34842d77

                                                                • C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  792b8c76f4ac18e8bb0ee6e4c210bfd4

                                                                  SHA1

                                                                  411a3b46a5308aa2693049b64e598be3bd8e01e7

                                                                  SHA256

                                                                  255d36d7ea401989d5910b96cc6aefe716b8f60ae2561a1f8f963f91be319e93

                                                                  SHA512

                                                                  2141f4be5271450f14fb90bfcb277d21c40e8f40f4531b7f030b051a25a99afa23cd33da12a080cfcd66eedef2b6841c80182edf294939f59bf7102e31dc03dc

                                                                • C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  335abc1dcc155945c5eba0b6e5dcff9b

                                                                  SHA1

                                                                  90894651f70e446a2e9045bb39868cb1e0b99271

                                                                  SHA256

                                                                  4c275a3bac2239226589f4540adcf95e68e192e9ef5295be5464c1b4ea8af9a9

                                                                  SHA512

                                                                  46a4e9ef69f93b717b3fad0ff2821286f424a2edb0fa6f278d0df3942ecdf7180f37998147fbec4b39de83be2bce5374349538f3eddd0f82c04e5db33196571e

                                                                • C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  37995098b1d2c605df62754c1cb91d15

                                                                  SHA1

                                                                  aeeeb868e8cddb970b086e0554dd8d5124de971d

                                                                  SHA256

                                                                  f91d2ebc9e05e14ac246e2a0e5ac8887f183a14bb9be0c00568e025b11358bfe

                                                                  SHA512

                                                                  c9d7f1908a72490797a844f7aa039d70192c9047f4c08932f37cb3e98bd7d149487925839ffe029677e9aee7df2e0bbce6ff83148e0d600ca4e8417468a4f70e

                                                                • C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  5d53e9b3f3bf096d92bd228cbe8a9934

                                                                  SHA1

                                                                  d85b83828554b712735c25f50f86d3e49e491076

                                                                  SHA256

                                                                  32f450c9e495efe6af2719e5a33a8ccdca217470860b76c5d1494e0d9905e346

                                                                  SHA512

                                                                  8f8562d4f7f4a4c788d54fbf014b2c2741594fe201e82e7251dad69d049b61310427d3d227ced4b6e2eeb6028ba9b40b794b3882ebbedabf2f406a7cbcc1a769

                                                                • C:\Users\Public\Downloads\cc11b995f2a76d

                                                                  Filesize

                                                                  150B

                                                                  MD5

                                                                  8674b591e8651813dc9291a1f8661786

                                                                  SHA1

                                                                  7623ddcd5098278144847fbaad80ad8d6b1ddec6

                                                                  SHA256

                                                                  7e4c9a18c6d776cec4c115d81098b051d9ef9639f53bf0d895d49fa837131190

                                                                  SHA512

                                                                  7947101ddd80e2bfbb37f80e5be5f87602fe88fd5137415d5dcb690140b5e8d1a4e7f7818f436abba4780ccd9c433362335c3a48c7ad0294393dddc96c58aaf7

                                                                • C:\providercommon\1zu9dW.bat

                                                                  Filesize

                                                                  36B

                                                                  MD5

                                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                                  SHA1

                                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                                  SHA256

                                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                                  SHA512

                                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                                • C:\providercommon\DllCommonsvc.exe

                                                                  Filesize

                                                                  1.0MB

                                                                  MD5

                                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                                  SHA1

                                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                                  SHA256

                                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                                  SHA512

                                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                                • C:\providercommon\cc11b995f2a76d

                                                                  Filesize

                                                                  879B

                                                                  MD5

                                                                  d75317841fc49775b37e10ba034bf5b2

                                                                  SHA1

                                                                  fd6b826913eb19a1db10baf1f7da3384dde5a6e1

                                                                  SHA256

                                                                  30ca80e8759215a34ff59913926cc8f2a31b3ef602876ab12c52d24806b6d7f0

                                                                  SHA512

                                                                  e8004186e2b193fe4ea19d717eacb09e9686626c789b14743415e76b9d61c8a3f1788bf69a6e4eb2d10608670c528542fecb818ca9d52e151ee2f3f33044d010

                                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                                  Filesize

                                                                  197B

                                                                  MD5

                                                                  8088241160261560a02c84025d107592

                                                                  SHA1

                                                                  083121f7027557570994c9fc211df61730455bb5

                                                                  SHA256

                                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                                  SHA512

                                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                                • memory/444-421-0x0000000002690000-0x00000000026A2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/676-414-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/892-428-0x00000000011E0000-0x00000000011F2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/1492-441-0x0000000003040000-0x0000000003052000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2292-486-0x0000000003180000-0x0000000003192000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2308-365-0x0000000001240000-0x0000000001252000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2560-208-0x000000001BC70000-0x000000001BC82000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/3468-13-0x0000000000E20000-0x0000000000F30000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3468-14-0x00000000018A0000-0x00000000018B2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/3468-15-0x0000000003160000-0x000000000316C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/3468-16-0x0000000003170000-0x000000000317C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/3468-17-0x0000000003180000-0x000000000318C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/3468-12-0x00007FFE02663000-0x00007FFE02665000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/3476-473-0x00000000032B0000-0x00000000032C2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/3576-454-0x00000000018A0000-0x00000000018B2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/4860-54-0x0000023E46C60000-0x0000023E46C82000-memory.dmp

                                                                  Filesize

                                                                  136KB