Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 17:22

General

  • Target

    JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe

  • Size

    1.3MB

  • MD5

    16697be95f406116df0fc9b42d05cd5b

  • SHA1

    6003ca0500f546496a78b42e16f1c60cef1ffaa3

  • SHA256

    524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1

  • SHA512

    e7b98c61f15513ffb2034e0a529317c3a2afcd9d0a9aa9d54eb3e4edd0942e4a1101489ff72298ab2c51f04751c26dd16629059d2df52621bfffd34e64693ce8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4080
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4720
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyMeBSpuyx.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1116
              • C:\Program Files\Windows Security\RuntimeBroker.exe
                "C:\Program Files\Windows Security\RuntimeBroker.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2372
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:264
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4084
                    • C:\Program Files\Windows Security\RuntimeBroker.exe
                      "C:\Program Files\Windows Security\RuntimeBroker.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1504
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2376
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1940
                          • C:\Program Files\Windows Security\RuntimeBroker.exe
                            "C:\Program Files\Windows Security\RuntimeBroker.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4960
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2408
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2936
                                • C:\Program Files\Windows Security\RuntimeBroker.exe
                                  "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:2040
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
                                    13⤵
                                      PID:1188
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:232
                                        • C:\Program Files\Windows Security\RuntimeBroker.exe
                                          "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4588
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
                                            15⤵
                                              PID:1688
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:3612
                                                • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                  "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2916
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
                                                    17⤵
                                                      PID:416
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:2504
                                                        • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                          "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3276
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
                                                            19⤵
                                                              PID:1636
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:4544
                                                                • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                  "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2804
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
                                                                    21⤵
                                                                      PID:100
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:1460
                                                                        • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                          "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3476
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
                                                                            23⤵
                                                                              PID:3336
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:4056
                                                                                • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                                  "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1100
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
                                                                                    25⤵
                                                                                      PID:4468
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:472
                                                                                        • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                                          "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2256
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
                                                                                            27⤵
                                                                                              PID:2200
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                28⤵
                                                                                                  PID:2240
                                                                                                • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                                                  "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3464
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
                                                                                                    29⤵
                                                                                                      PID:720
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        30⤵
                                                                                                          PID:4420
                                                                                                        • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                                                          "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4780
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
                                                                                                            31⤵
                                                                                                              PID:808
                                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                32⤵
                                                                                                                  PID:4952
                                                                                                                • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                                                                  "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                                                                  32⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Modifies registry class
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:3408
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
                                                                                                                    33⤵
                                                                                                                      PID:1188
                                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                        34⤵
                                                                                                                          PID:2460
                                                                                                                        • C:\Program Files\Windows Security\RuntimeBroker.exe
                                                                                                                          "C:\Program Files\Windows Security\RuntimeBroker.exe"
                                                                                                                          34⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3476
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2644
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3120
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2112
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\dwm.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3940
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\dwm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4764
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\dwm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4364
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3860
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4844
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4508
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4516
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1580
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4584
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3900
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4972
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2284
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4900
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:5048
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1848
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:980
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1640
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3976
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2068
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4272
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:5044
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3240
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3112
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3884
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2424
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2800
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:8
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:216
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1724
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2700
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3944
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:648
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1816
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4340
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3544
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3196
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:4984
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:520
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2508

                                                      Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              baf55b95da4a601229647f25dad12878

                                                              SHA1

                                                              abc16954ebfd213733c4493fc1910164d825cac8

                                                              SHA256

                                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                              SHA512

                                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              d85ba6ff808d9e5444a4b369f5bc2730

                                                              SHA1

                                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                                              SHA256

                                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                              SHA512

                                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              77d622bb1a5b250869a3238b9bc1402b

                                                              SHA1

                                                              d47f4003c2554b9dfc4c16f22460b331886b191b

                                                              SHA256

                                                              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                              SHA512

                                                              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              6d3e9c29fe44e90aae6ed30ccf799ca8

                                                              SHA1

                                                              c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                              SHA256

                                                              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                              SHA512

                                                              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              62623d22bd9e037191765d5083ce16a3

                                                              SHA1

                                                              4a07da6872672f715a4780513d95ed8ddeefd259

                                                              SHA256

                                                              95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                              SHA512

                                                              9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              59d97011e091004eaffb9816aa0b9abd

                                                              SHA1

                                                              1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                              SHA256

                                                              18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                              SHA512

                                                              d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              d28a889fd956d5cb3accfbaf1143eb6f

                                                              SHA1

                                                              157ba54b365341f8ff06707d996b3635da8446f7

                                                              SHA256

                                                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                              SHA512

                                                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              3a6bad9528f8e23fb5c77fbd81fa28e8

                                                              SHA1

                                                              f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                              SHA256

                                                              986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                              SHA512

                                                              846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              ecceac16628651c18879d836acfcb062

                                                              SHA1

                                                              420502b3e5220a01586c59504e94aa1ee11982c9

                                                              SHA256

                                                              58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

                                                              SHA512

                                                              be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              e8ce785f8ccc6d202d56fefc59764945

                                                              SHA1

                                                              ca032c62ddc5e0f26d84eff9895eb87f14e15960

                                                              SHA256

                                                              d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                                                              SHA512

                                                              66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

                                                            • C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              2c9efeee558c51bce5d87decda04324e

                                                              SHA1

                                                              1d77c037e600c1b9ce25d0ca5ab7d4d4e1ae79ea

                                                              SHA256

                                                              060e7d10c960d12910d463cce05f15807024a6c0299638dfee46e4d893172b47

                                                              SHA512

                                                              37acb210347d16a77875feaa59d956321c1bfde9d0b3365955b144370836a77265614dee58031e9b94e1c1adbd984db0e0e684c0f0346087212e05159c0a2525

                                                            • C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              53a9c0aab40aa92607fac5c93bd02d61

                                                              SHA1

                                                              448fe775e77253cc57d97d0dde469d1b6b3fbaad

                                                              SHA256

                                                              fffa4f3776b56155d1c633d5eb346bd0350982feabe3b67126738952849bdc4b

                                                              SHA512

                                                              1c4ee6fae72a3470054de0480fe3e0c819ca3b2c12aa93f3c574c11fe527c6679422b86b375411efcae64bd964dfe960ee552d07d21676c1fea5c95afeae0de6

                                                            • C:\Users\Admin\AppData\Local\Temp\CyMeBSpuyx.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              ab1a5a7e38bf3017c0ed7986ba730a20

                                                              SHA1

                                                              46eee55684250cbda428ab760e5c5872b104223f

                                                              SHA256

                                                              b93bb0434118add04a04a9a5dbb6fe03ea1bfb8a4f96ff2f727ef57f4c0b1913

                                                              SHA512

                                                              b048280a9f28c2feb9e977d3ecd192d624d6dc27951bde137e14a15d6c2be6bcbdcead50d70cf9576ce6ada4a83f8e717ac6d39e641fed749d10c98c4ec9e00f

                                                            • C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              b1497b3b29b26881b5b5637b551d9e9a

                                                              SHA1

                                                              b86d448880d198b4ca83831314737efa282152b0

                                                              SHA256

                                                              20e775d79fd7fa7cdb86cd593f541cbe9af2a4143dd28c5c8c67683d1ade773c

                                                              SHA512

                                                              c633e4025ebb74e7244ddeb4f28a5364a62a626271ad4b5286a10266e60929eab3760650243bb0096134f3eb64cbabb45234dc7386704b974ed5fb64b01534e9

                                                            • C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              910d24fe1fd783b684a7239592bfa3f6

                                                              SHA1

                                                              d6683556aadf7a4f9621037e8f1ea904da42fbd9

                                                              SHA256

                                                              39a4782baf389b9d4c97dd3215a7fa1b3c0133b24c1d7b7f7ee8d96790d70441

                                                              SHA512

                                                              4cbd480995e673f99343ba8d7dc3b1348f154df5aaec871d6e18c5d82c8f98f2a48a44d91c8b7ba25fa26521cff099702cef268fa1fe3acde21663ad6aa0099e

                                                            • C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              6058bc013fd5d57e733c5dbdb6eef8b5

                                                              SHA1

                                                              5eb80ddb144849c68ff0392712632b7eda6b6d44

                                                              SHA256

                                                              ab0e9eae7d1f931ca138b4032412ce1dfda1889b61721a81bb96513866dc19db

                                                              SHA512

                                                              a0f585a77014516da141b28c0a5510d5477c747248c5fcf5a07e3c3d45e7cc1f9a6d695b5a76e611691cc1f5ad422849fee657e076655c7f540f442a756cadd3

                                                            • C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              3a513642e4c880c1bb76a2233c98af7f

                                                              SHA1

                                                              c3da440277248b4c1bfd6e70938f2cca6376ea1f

                                                              SHA256

                                                              d47a12eb2b83a4dc922f6a8ba33504a0e53a9ff44ec5bed8acb2ccd5e2606e56

                                                              SHA512

                                                              4606963a13a3d6f8d40b83b02cb4df89e8dd18a9576f1338146f1cdc6ec7cc1eff96737b1300ba5457a3d8861fa21191b69b7ab6c1f959f0627b01d7bf8ad486

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qawbw5ae.1qx.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              81093566486269743e257346138c1462

                                                              SHA1

                                                              484788b327fdc5c25ab5b4be620b3d1088243b68

                                                              SHA256

                                                              9fcbd642dfc71ac0f327ac216af76f553ded2d85552a43e5ebc6bc920c2748a0

                                                              SHA512

                                                              544f19d62a26bb24bfabaa02d72752d85c5bbfdc9f99eb34eec58ece739c94c9017aa296237fc46b790718bb16bc49f69a2b27063a334b157ab87bd3560304ed

                                                            • C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              910cd0b691749f3f5455be88dd46c76f

                                                              SHA1

                                                              09cd1ed7708f2a0ef8759d53f77cfc8fd590deaa

                                                              SHA256

                                                              f4c57cbf9cbdfbd8b63ad752ce6f38c21304e244609a0dbce33601ce4f5da7b3

                                                              SHA512

                                                              88bf1b41044d34257a847b077f6edfb4142c3e5b6309aed5634e74c587da9db9b5bfc2ca693784df604b4c0a0879677d1dd3277bb17429e8f369fa2cada1c91e

                                                            • C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              e44137a05b1536bb0766b7e43099719c

                                                              SHA1

                                                              ddeb7232a1773ddab81a0fab4ccd1c33fce1575b

                                                              SHA256

                                                              0ca736f6f44efa8b05a2c38e1e2f0d7038fc594eea026dce293c14db896fabd1

                                                              SHA512

                                                              6b6e576fee7b5ead98c9d36641939a2cd43425afb869d5c1594e308e40627b47efe9c80a72d3fe59a6120fc0085c7c14a203f1b1c768dd2cf7dcfbbc4ce3c5ab

                                                            • C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

                                                              Filesize

                                                              216B

                                                              MD5

                                                              ce6d360e985fa81cc7c822973c7c7c9e

                                                              SHA1

                                                              0de4b5d4362adfd13d3cc744f9951bbae7ff6dca

                                                              SHA256

                                                              fdaa37a0ae3b7119dc3868a9679900534b930fec38a4ccc4db60d170e2713d0b

                                                              SHA512

                                                              e667d13fb9d00bd168841608a05403b41575065d2fe1f89b6c53ac42b68e2097f4a34ffb9bd6b2b09f223b6c43d8068a77f84b1d45450f1bd941642a14a760e4

                                                            • C:\providercommon\1zu9dW.bat

                                                              Filesize

                                                              36B

                                                              MD5

                                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                                              SHA1

                                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                              SHA256

                                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                              SHA512

                                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                            • C:\providercommon\DllCommonsvc.exe

                                                              Filesize

                                                              1.0MB

                                                              MD5

                                                              bd31e94b4143c4ce49c17d3af46bcad0

                                                              SHA1

                                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                              SHA256

                                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                              SHA512

                                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                              Filesize

                                                              197B

                                                              MD5

                                                              8088241160261560a02c84025d107592

                                                              SHA1

                                                              083121f7027557570994c9fc211df61730455bb5

                                                              SHA256

                                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                              SHA512

                                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                            • memory/1504-232-0x000000001AFF0000-0x000000001B002000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/1912-78-0x00000232C8C50000-0x00000232C8C72000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/2372-222-0x00000000017F0000-0x0000000001802000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2372-228-0x000000001D700000-0x000000001D802000-memory.dmp

                                                              Filesize

                                                              1.0MB

                                                            • memory/2996-16-0x00000000015C0000-0x00000000015CC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2996-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/2996-12-0x00007FFF8A7A3000-0x00007FFF8A7A5000-memory.dmp

                                                              Filesize

                                                              8KB

                                                            • memory/2996-14-0x0000000001590000-0x00000000015A2000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2996-15-0x00000000015A0000-0x00000000015AC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2996-17-0x0000000002F10000-0x0000000002F1C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/3464-294-0x000000001ADF0000-0x000000001AE02000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/3476-275-0x000000001ADF0000-0x000000001AE02000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/3476-313-0x000000001ADF0000-0x000000001AE02000-memory.dmp

                                                              Filesize

                                                              72KB