Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 05:27

General

  • Target

    JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe

  • Size

    1.3MB

  • MD5

    526076dcb33946f85100c96c88c43b6e

  • SHA1

    d8a3b7df3426a58a7b1cd37e576af984a1cb9cb2

  • SHA256

    363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0

  • SHA512

    ce7a3746e88b02481179e0454dc560b2e4a31cd8edc44b99723e7c3a1097488758d98b17152a993d71aba39139b87589ca984637d02ca4f29205c7f0975a1402

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\Programs\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:4724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\upfc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4652
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QNVscmPWUP.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1312
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:5408
              • C:\providercommon\OfficeClickToRun.exe
                "C:\providercommon\OfficeClickToRun.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:868
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5956
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4008
                    • C:\providercommon\OfficeClickToRun.exe
                      "C:\providercommon\OfficeClickToRun.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4416
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:6020
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2964
                          • C:\providercommon\OfficeClickToRun.exe
                            "C:\providercommon\OfficeClickToRun.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5696
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
                              11⤵
                                PID:3788
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:3344
                                  • C:\providercommon\OfficeClickToRun.exe
                                    "C:\providercommon\OfficeClickToRun.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:996
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
                                      13⤵
                                        PID:716
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2296
                                          • C:\providercommon\OfficeClickToRun.exe
                                            "C:\providercommon\OfficeClickToRun.exe"
                                            14⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3364
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
                                              15⤵
                                                PID:2788
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:5884
                                                  • C:\providercommon\OfficeClickToRun.exe
                                                    "C:\providercommon\OfficeClickToRun.exe"
                                                    16⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5060
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
                                                      17⤵
                                                        PID:2192
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:388
                                                          • C:\providercommon\OfficeClickToRun.exe
                                                            "C:\providercommon\OfficeClickToRun.exe"
                                                            18⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4440
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
                                                              19⤵
                                                                PID:4516
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:5280
                                                                  • C:\providercommon\OfficeClickToRun.exe
                                                                    "C:\providercommon\OfficeClickToRun.exe"
                                                                    20⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:680
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
                                                                      21⤵
                                                                        PID:3876
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2992
                                                                          • C:\providercommon\OfficeClickToRun.exe
                                                                            "C:\providercommon\OfficeClickToRun.exe"
                                                                            22⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5192
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
                                                                              23⤵
                                                                                PID:2496
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:3284
                                                                                  • C:\providercommon\OfficeClickToRun.exe
                                                                                    "C:\providercommon\OfficeClickToRun.exe"
                                                                                    24⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:920
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
                                                                                      25⤵
                                                                                        PID:6052
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:5860
                                                                                          • C:\providercommon\OfficeClickToRun.exe
                                                                                            "C:\providercommon\OfficeClickToRun.exe"
                                                                                            26⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2756
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
                                                                                              27⤵
                                                                                                PID:3316
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  28⤵
                                                                                                    PID:5976
                                                                                                  • C:\providercommon\OfficeClickToRun.exe
                                                                                                    "C:\providercommon\OfficeClickToRun.exe"
                                                                                                    28⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:5820
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2140
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1072
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1464
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3332
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4336
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\taskhostw.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1516
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\taskhostw.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\taskhostw.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4308
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\Programs\TextInputHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4516
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\Programs\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:848
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\StartMenuExperienceHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Migration\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2876
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5096
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3128
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4452
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1368
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3648
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3960
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2668
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1904
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2076
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5036
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4752
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3336
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1168
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2696
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1652
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:524
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4500
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:744
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4056
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5040

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              baf55b95da4a601229647f25dad12878

                                              SHA1

                                              abc16954ebfd213733c4493fc1910164d825cac8

                                              SHA256

                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                              SHA512

                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6d42b6da621e8df5674e26b799c8e2aa

                                              SHA1

                                              ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                              SHA256

                                              5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                              SHA512

                                              53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              d28a889fd956d5cb3accfbaf1143eb6f

                                              SHA1

                                              157ba54b365341f8ff06707d996b3635da8446f7

                                              SHA256

                                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                              SHA512

                                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              bd5940f08d0be56e65e5f2aaf47c538e

                                              SHA1

                                              d7e31b87866e5e383ab5499da64aba50f03e8443

                                              SHA256

                                              2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                              SHA512

                                              c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              2e907f77659a6601fcc408274894da2e

                                              SHA1

                                              9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                              SHA256

                                              385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                              SHA512

                                              34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              59d97011e091004eaffb9816aa0b9abd

                                              SHA1

                                              1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                              SHA256

                                              18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                              SHA512

                                              d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              e243a38635ff9a06c87c2a61a2200656

                                              SHA1

                                              ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                              SHA256

                                              af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                              SHA512

                                              4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                            • C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

                                              Filesize

                                              203B

                                              MD5

                                              aeff9d782c105f8d160989c29614a6f5

                                              SHA1

                                              6d63b7bf2cc9bb84507ce481c6d317b2cff3fb98

                                              SHA256

                                              c571e683ff6b38959adfadd04577d6aa2ecbaf5487b8647ee65f61cd58614aba

                                              SHA512

                                              45698ce44c5c521f866b376764d68c16b585187b8984187776674e9b2bab8340258474dee89d3bd3e2966dee216a1e3c0b87d714aacfe5b140a3d298bb9e8277

                                            • C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

                                              Filesize

                                              203B

                                              MD5

                                              e6cc93b3d322a926a798d6585cdfd022

                                              SHA1

                                              4791bf2e18540cabd2032408508338e13fcbb521

                                              SHA256

                                              681a7b3a32815562d2d48caa46eebbab3e23c86822c0303ab74f750df5ace5dd

                                              SHA512

                                              f741e8e97d290f219c46561b1b3a20afcf4bd6da977dc4c4a987277b9f109a187162e84043e0c1b717d71d233f339b51ba37b6d2ed8722c0850fbcae18c86720

                                            • C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

                                              Filesize

                                              203B

                                              MD5

                                              0947849312d2acb319d5524dadaa3956

                                              SHA1

                                              d1227c4952010096d79c92973649b7e1833e46b8

                                              SHA256

                                              bab3bdd3fdac2889169fc803c63d1573678367a322f08dbc4332853f43db9c3a

                                              SHA512

                                              77ab4643edea93b43ac55bd331377229db21fdd20bd84f164b26cf8cdfb1908fa6991c2fab5885bc19875882973dc75898c5fe223d591fcf4b422a4379e9be19

                                            • C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

                                              Filesize

                                              203B

                                              MD5

                                              9ac776dd5f8505a11bfebf458de41837

                                              SHA1

                                              e43d7138aec41661f67d612a15567a8540433631

                                              SHA256

                                              e5d9e5733b7dbb148ae4925efca4a2a5ce5de0110735cb906213ae0541173958

                                              SHA512

                                              96824c9c04507c6a9a5eed0f0489da31133d81a4f77d611dc0077ae9a9235c61b904b6d9ee4926b4eff1b4be2ffa9387b283c423750337de19f80c92137553c9

                                            • C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

                                              Filesize

                                              203B

                                              MD5

                                              712bacf052e595761d23627d012b64fe

                                              SHA1

                                              1ca75d81f0b72d5970f326cdb76bd78f30ee03e6

                                              SHA256

                                              7396ac18a434fd52960eb1a2755786350225aac18d4977519c8a68046b3a7bb5

                                              SHA512

                                              7f0311493bcb80f909a985e505fea4b435785b2fa36e3179af217f2e6f04714d87d2d8a22181cb6cac4b6e4e79801cebf7272d189e846b1edab93d6f239debdf

                                            • C:\Users\Admin\AppData\Local\Temp\QNVscmPWUP.bat

                                              Filesize

                                              203B

                                              MD5

                                              359b3ba712d5bf84f858deef8c33b041

                                              SHA1

                                              1d9349b2d6ea14b8382aab4fd1769f3696abc2e8

                                              SHA256

                                              a91018285dc6eb719d35eb89ab1b0b2533bce5400332d1f90f1455889f897439

                                              SHA512

                                              cc242cf9de0c8f68051c3c73a3b21990aaaf9924a6c81a4b7b59e7d37a888f477a5da9ad7328782f1729d213318a8c51d65eafa4c806a552bbad718bcc615364

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqtqzghf.nk4.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat

                                              Filesize

                                              203B

                                              MD5

                                              110842a252ee4e5c8d8e655af4e4b10e

                                              SHA1

                                              757648e30a3466bef9b2d3eb68c8fa688b3f68b4

                                              SHA256

                                              729ed4c69d8b3e0507db7c3bc069e6815d8c2fe57c7ab1e102d6846887763da9

                                              SHA512

                                              a649cd22a9645355f376f97cd88e2f16396c4010d72f202c6e08f6d5377c252ce000f0e82e40c059770bb2ee0a6ba17761be4f9c2c34c895ef5428d3f0405bef

                                            • C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat

                                              Filesize

                                              203B

                                              MD5

                                              84fee3f8ae1e517f1217c428b9430c55

                                              SHA1

                                              b451c4412db4a3a4db2c7bf23d2f23e10268dc99

                                              SHA256

                                              d770419872212cab7dbed2804a2978a71ed2fb2fee2904f13262baa81bae9208

                                              SHA512

                                              19271e4fce31117a35ffd1035548c4e93431778892397c8f7a57b39a6629a08df03aef3916d8fbee3826705d48275f6d531b65d2ee907ba29d176f6421937305

                                            • C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

                                              Filesize

                                              203B

                                              MD5

                                              5248bf75d262285e01b0b0149403a339

                                              SHA1

                                              c8f4b5f1649e77aa1ddc1969caee2962c8403a8b

                                              SHA256

                                              8e9eb94b605afa6fe4d178dcb747c999cdb391086d3481a17cfce05b576ab20d

                                              SHA512

                                              c163da50c1b7cb189f44f7dfae828e96a7e3c37e2726f017de03c205966ffc5a226610cc803e695c792dc3fb70ba54850e9096e6bc8fe69de39d9a621d9c5b92

                                            • C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

                                              Filesize

                                              203B

                                              MD5

                                              c97744b053e5207fdf0963ae76511a64

                                              SHA1

                                              3c233b1e2ab7d815216cdba1f4ab6adb74817932

                                              SHA256

                                              de3e4b6cac2ff472b3766e22e5b6e14ff74550814b0ec98b408ed9fdd9be8fcc

                                              SHA512

                                              fde401aed1c41ccf638bf7027c142e519e53d9edf138c122c7b40b86e95c68491ec4218b3e0aadc31cfe56b19e57ec427b14aee89d126979068a89c8b479d46a

                                            • C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

                                              Filesize

                                              203B

                                              MD5

                                              3fc12345747a1608e8c84d92cbb27714

                                              SHA1

                                              f35166403bbceb69bc166ab1cb98fafe89715d8c

                                              SHA256

                                              6e2b3deeebb25166853e9a95c1d5584e0f468501e00f9672dd9aa84d5c65773f

                                              SHA512

                                              f6ab25426cafcec9f7782682415bbdeb0a013ff19658ae297f8a5440c65a8e6a48028b3221bc31640230c6333d58d66ec0fb53160b9bdcb79a5d25760a9cc538

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/680-350-0x000000001BCA0000-0x000000001BE49000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/680-345-0x0000000000A40000-0x0000000000A52000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/868-296-0x0000000000E30000-0x0000000000E42000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/920-366-0x000000001BE90000-0x000000001C039000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/920-364-0x000000001BE90000-0x000000001C039000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/948-292-0x00000252A1400000-0x00000252A156A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/964-289-0x000001EC56DF0000-0x000001EC56F5A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/996-319-0x00000000012D0000-0x00000000012E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1428-276-0x000002757A180000-0x000002757A2EA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1608-245-0x0000028255420000-0x000002825558A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1896-290-0x000002A8A5AC0000-0x000002A8A5C2A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2192-275-0x0000022F21350000-0x0000022F214BA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2612-255-0x000001D16BFA0000-0x000001D16C10A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2964-257-0x00000201BE860000-0x00000201BE9CA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3120-268-0x000001D1FA7C0000-0x000001D1FA92A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3132-272-0x00000253BCD10000-0x00000253BCE7A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3680-16-0x00000000010C0000-0x00000000010CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3680-15-0x00000000010B0000-0x00000000010BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3680-14-0x0000000001090000-0x00000000010A2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3680-17-0x00000000010D0000-0x00000000010DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3680-13-0x00007FFECF750000-0x00007FFECFA19000-memory.dmp

                                              Filesize

                                              2.8MB

                                            • memory/3680-70-0x00007FFECF750000-0x00007FFECFA19000-memory.dmp

                                              Filesize

                                              2.8MB

                                            • memory/3680-12-0x0000000000770000-0x0000000000880000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/4020-250-0x000002084F9E0000-0x000002084FB4A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4416-305-0x00000000028F0000-0x0000000002902000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4440-342-0x000000001C2F0000-0x000000001C499000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/4476-80-0x000001D16F700000-0x000001D16F722000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/4476-247-0x000001D16FB30000-0x000001D16FC9A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4648-269-0x000001BC63870000-0x000001BC639DA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4652-267-0x000001DAEE570000-0x000001DAEE6DA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4712-237-0x00000146427B0000-0x000001464291A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4784-291-0x0000028EC12A0000-0x0000028EC140A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4816-246-0x000001C4FB020000-0x000001C4FB18A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4860-285-0x0000027EA7730000-0x0000027EA789A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/5068-286-0x0000016F76CC0000-0x0000016F76E2A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/5192-353-0x0000000002270000-0x0000000002282000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5192-358-0x000000001BD20000-0x000000001BEC9000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/5696-312-0x000000001B870000-0x000000001B882000-memory.dmp

                                              Filesize

                                              72KB