Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 18:49

General

  • Target

    00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    00195dc23ea8cc5cb728c411f684ff40

  • SHA1

    604a8ca144781805d4ea73de01caee8ba98c176d

  • SHA256

    5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

  • SHA512

    218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

  • SSDEEP

    98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:64
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4980
    • C:\Windows\Installer\backgroundTaskHost.exe
      "C:\Windows\Installer\backgroundTaskHost.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5152
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd466347-92fe-4b91-923b-4398af225e25.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5556
        • C:\Windows\Installer\backgroundTaskHost.exe
          C:\Windows\Installer\backgroundTaskHost.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5732
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e60444e0-ec8a-4512-a96a-9e8c27278085.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5900
            • C:\Windows\Installer\backgroundTaskHost.exe
              C:\Windows\Installer\backgroundTaskHost.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3944
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a71532b-f9ce-4534-8df9-4b221000b439.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3820
                • C:\Windows\Installer\backgroundTaskHost.exe
                  C:\Windows\Installer\backgroundTaskHost.exe
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3828
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6cf745-b8c8-4d51-a3e3-9214842eddd2.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1760
                    • C:\Windows\Installer\backgroundTaskHost.exe
                      C:\Windows\Installer\backgroundTaskHost.exe
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:5192
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6e3723-c975-4187-af4e-1a03587fbbac.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1692
                        • C:\Windows\Installer\backgroundTaskHost.exe
                          C:\Windows\Installer\backgroundTaskHost.exe
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2556
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\789b5567-4d03-457b-b34a-a8a336cdac71.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2400
                            • C:\Windows\Installer\backgroundTaskHost.exe
                              C:\Windows\Installer\backgroundTaskHost.exe
                              14⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:5180
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84102f20-aa3c-41a3-b2ce-dc2a6492decb.vbs"
                                15⤵
                                  PID:5580
                                  • C:\Windows\Installer\backgroundTaskHost.exe
                                    C:\Windows\Installer\backgroundTaskHost.exe
                                    16⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:5924
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b892d72-d363-434a-96a9-40e0fdcb016d.vbs"
                                      17⤵
                                        PID:3960
                                        • C:\Windows\Installer\backgroundTaskHost.exe
                                          C:\Windows\Installer\backgroundTaskHost.exe
                                          18⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:5788
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c51f102-bb6e-4a60-83e7-282963469afb.vbs"
                                            19⤵
                                              PID:4584
                                              • C:\Windows\Installer\backgroundTaskHost.exe
                                                C:\Windows\Installer\backgroundTaskHost.exe
                                                20⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:4836
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9d9a49-1964-40e0-a87c-956dab7af13d.vbs"
                                                  21⤵
                                                    PID:452
                                                    • C:\Windows\Installer\backgroundTaskHost.exe
                                                      C:\Windows\Installer\backgroundTaskHost.exe
                                                      22⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:3260
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e509c3c8-ea34-49f8-810e-9046cb579038.vbs"
                                                        23⤵
                                                          PID:5492
                                                          • C:\Windows\Installer\backgroundTaskHost.exe
                                                            C:\Windows\Installer\backgroundTaskHost.exe
                                                            24⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:4428
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd621da-46e5-412f-b7e4-c55f0f04d253.vbs"
                                                              25⤵
                                                                PID:5716
                                                                • C:\Windows\Installer\backgroundTaskHost.exe
                                                                  C:\Windows\Installer\backgroundTaskHost.exe
                                                                  26⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:2144
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dba74704-55f4-48c4-b364-deafda8e0859.vbs"
                                                                    27⤵
                                                                      PID:6044
                                                                      • C:\Windows\Installer\backgroundTaskHost.exe
                                                                        C:\Windows\Installer\backgroundTaskHost.exe
                                                                        28⤵
                                                                        • UAC bypass
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:4040
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40633a2a-42d8-493b-97e7-45bc549b1f1a.vbs"
                                                                          29⤵
                                                                            PID:5984
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8c7ff4-8b41-42b1-a755-4efb9389b134.vbs"
                                                                            29⤵
                                                                              PID:4860
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b215e46b-e662-49ec-9a96-22aebdadc046.vbs"
                                                                          27⤵
                                                                            PID:6104
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f668c87d-67f1-44d1-aaab-ce327250d57b.vbs"
                                                                        25⤵
                                                                          PID:4180
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537b7048-6230-4cd6-a6be-04b9a1e303d4.vbs"
                                                                      23⤵
                                                                        PID:1148
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc696be-1579-4f94-a57d-e5741f2001aa.vbs"
                                                                    21⤵
                                                                      PID:2132
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b46a32-3a15-44cd-99ef-f934261178cc.vbs"
                                                                  19⤵
                                                                    PID:3908
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43505a82-b053-43c4-82aa-5bd01f2f110d.vbs"
                                                                17⤵
                                                                  PID:6136
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d520f40-e0d2-4b96-b966-51eed767b24e.vbs"
                                                              15⤵
                                                                PID:5796
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96842741-b1ea-4799-945e-1af8b0bab2c1.vbs"
                                                            13⤵
                                                              PID:5512
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d44e7f-73a8-4941-a0f2-87f432ce411b.vbs"
                                                          11⤵
                                                            PID:2424
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73a7f493-a41e-4b05-a830-87dc0c8c0394.vbs"
                                                        9⤵
                                                          PID:3360
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3847b708-f7b1-4ffe-a090-eb1204cebec4.vbs"
                                                      7⤵
                                                        PID:512
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d84be767-7b84-4364-87e4-e05b952a2fb6.vbs"
                                                    5⤵
                                                      PID:5948
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\393a414d-170c-4035-9237-ccbab26d0fe4.vbs"
                                                  3⤵
                                                    PID:5596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2456
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4500
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4776
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4788
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:400
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4440
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2800
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:588
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3716
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2948
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2940
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:1356
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:1964
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2812
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4668
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:1468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:1600
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3736
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4632
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4880
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:836
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3932
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:536
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4420
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:732
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2832
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:868
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3448
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:840
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4308
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3136
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3204
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:1048
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4176
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4932
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:2756
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:1752
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3168
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:3264
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:4676
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:220
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Creates scheduled task(s)
                                                PID:5096

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files\Google\OfficeClickToRun.exe

                                                Filesize

                                                3.2MB

                                                MD5

                                                dceca7f3ae5b7b4ca38a75686334b969

                                                SHA1

                                                a52f18b1467bcfb97ba524f874cafd8c2d1ac232

                                                SHA256

                                                15b8e3c8afe0b2dcb7f3398f0c97430e16fd4aa054eaff2bae8a7cbde711af60

                                                SHA512

                                                13209c752372537374c8479e9998b9c4e14c383aa3a2fa57e4a09d63ff50cb28d45ab1a75cfb4319cc0bb3b7bedce7043c72a05c15df69bfdd69c74a63d336fb

                                              • C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe

                                                Filesize

                                                3.2MB

                                                MD5

                                                07e03442a170375f42e22b479ea0c7f9

                                                SHA1

                                                4d2726dc3fff0812950233be63b5264ff07b44bf

                                                SHA256

                                                6c778e1f8c4e18077559753829514ebaffbd56e4a5f5cc95278663596865e272

                                                SHA512

                                                f03a7db30a1a267beabcb43effc1364199403fa75c07073efc5a81f97a0474bd5f7f7b3acd4e46a1730a77bfce3d3c21012a101fca65c99ece03bc5343d43eae

                                              • C:\Recovery\WindowsRE\sysmon.exe

                                                Filesize

                                                3.2MB

                                                MD5

                                                00195dc23ea8cc5cb728c411f684ff40

                                                SHA1

                                                604a8ca144781805d4ea73de01caee8ba98c176d

                                                SHA256

                                                5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

                                                SHA512

                                                218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

                                              • C:\Recovery\WindowsRE\sysmon.exe

                                                Filesize

                                                3.2MB

                                                MD5

                                                ff222e397f441a440de414c09064304a

                                                SHA1

                                                3e33e71af577bc1b7b354142db331e325dd0538a

                                                SHA256

                                                7023170888f8977ee69849eb6116ce29f3e3d0bfaf5da693924c090d8c026d4b

                                                SHA512

                                                deeb3fd3843ec75337e62498ca930f43ca4b354345ec17fe10da1d650aa6398dca45f9a245bc6c3243c36aa51a6e2aeb52404c4d5d01f4f814125a96c5b1aaa0

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                49b64127208271d8f797256057d0b006

                                                SHA1

                                                b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                                                SHA256

                                                2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                                                SHA512

                                                f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                6d3e9c29fe44e90aae6ed30ccf799ca8

                                                SHA1

                                                c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                SHA256

                                                2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                SHA512

                                                60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                2e907f77659a6601fcc408274894da2e

                                                SHA1

                                                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                SHA256

                                                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                SHA512

                                                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                e448fe0d240184c6597a31d3be2ced58

                                                SHA1

                                                372b8d8c19246d3e38cd3ba123cc0f56070f03cd

                                                SHA256

                                                c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

                                                SHA512

                                                0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                59d97011e091004eaffb9816aa0b9abd

                                                SHA1

                                                1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                SHA256

                                                18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                SHA512

                                                d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                bd5940f08d0be56e65e5f2aaf47c538e

                                                SHA1

                                                d7e31b87866e5e383ab5499da64aba50f03e8443

                                                SHA256

                                                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                SHA512

                                                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                              • C:\Users\Admin\AppData\Local\Temp\1a71532b-f9ce-4534-8df9-4b221000b439.vbs

                                                Filesize

                                                719B

                                                MD5

                                                78fbd19b5729d075c90671a60e1b6eeb

                                                SHA1

                                                18e029ec56886688e1be129b233e857f79a6ee68

                                                SHA256

                                                1f13fb1bd7e97e28aeaad93fe0616b3a0813496380b6b822e47e591845f605c9

                                                SHA512

                                                2c915e2d2317cbe0ea5cb3e2bdff62ec7c5f1e43fe5fd769357e889bcbb369fea6cc83063f1f84918b8ba6544adefde1fffbb2e08c0c28233103fa6da5f96948

                                              • C:\Users\Admin\AppData\Local\Temp\393a414d-170c-4035-9237-ccbab26d0fe4.vbs

                                                Filesize

                                                495B

                                                MD5

                                                76accfec88f25e1895b4397b1ae1de3f

                                                SHA1

                                                2c6bd88e43758110e5feb8318a0481aded5e1d96

                                                SHA256

                                                638222d3abd9eae17158735954f40dde467c86ce02eea50eeb86b19ca3b12409

                                                SHA512

                                                e93e99f8ee24c64cf0b830d793f76cb6b0341d31e264d9a68fe829f1b61ce1d15c5fa34a95f3b0eafc01014d5aa9e81eceffe17b7a51cf3e5bcb93bd7ff9e5d9

                                              • C:\Users\Admin\AppData\Local\Temp\6bd621da-46e5-412f-b7e4-c55f0f04d253.vbs

                                                Filesize

                                                719B

                                                MD5

                                                767a7a77da6392be81ab7aceb4f9397f

                                                SHA1

                                                77842c4216babc9f63f18b2947bf2f8cb85cf178

                                                SHA256

                                                cdb65d15b590199349759fd9b392b959ce77c188a34f71a44aaab33aa69da5da

                                                SHA512

                                                c275a770273e5f1b8342315d08d02e222b0f6224dd4864a0ab5458631a06ff22de36d4168d99281560ec1c66d1a7478fd423eacced41df38e79078494cd27a8c

                                              • C:\Users\Admin\AppData\Local\Temp\6c51f102-bb6e-4a60-83e7-282963469afb.vbs

                                                Filesize

                                                719B

                                                MD5

                                                7ff81542723378585958d10475087f80

                                                SHA1

                                                d8d8487f890d6ee0dc0e825778a70df024541f24

                                                SHA256

                                                116b714492325414fec24baea81d4ea75dc1943f02f3062944086cb19c2fdece

                                                SHA512

                                                e97122b8350f9543b0b92a1abb0303cd65ae65cf8fac285fca804ba73f8ecaa15b6aeaaf95cefc4f51f5c744bc881975a96a194e413fdaf4be08648970db2a6c

                                              • C:\Users\Admin\AppData\Local\Temp\789b5567-4d03-457b-b34a-a8a336cdac71.vbs

                                                Filesize

                                                719B

                                                MD5

                                                36ba2b23fcd9b4b86fe5d58d50d47841

                                                SHA1

                                                85c9359fecf30d68ec3f9ce30f8a0f612f032fa2

                                                SHA256

                                                927b8e4b15a8ff8e1824e01b16a28be07ba1e336ca3c75d6bc7c0327b32c178d

                                                SHA512

                                                cd0122c1155034888415f2342e6b95ee5bb41ac35bc6eb4ee547ebc0ce86720c2b21d51fd277d99ce36bd34054042a1c9b9ab5757c9314f55220dd4aa78783ed

                                              • C:\Users\Admin\AppData\Local\Temp\7b892d72-d363-434a-96a9-40e0fdcb016d.vbs

                                                Filesize

                                                719B

                                                MD5

                                                c00b210c16ef39da9d6c1cc1abec1cb5

                                                SHA1

                                                37769fd6e528370a830b361beb05dcf32f268670

                                                SHA256

                                                e1c254d8c77d6d2c14df56f4aa9354671274c0493b397365e7ec797307f0699e

                                                SHA512

                                                037b884866c9045aa72d11f4b5e81854842846f362b884783d32a9ad42f03d27d0c9429c8ef853cbe72bbc6de451ec6c1e0636aee63be81b7850fc4aa34ed7e2

                                              • C:\Users\Admin\AppData\Local\Temp\7f6e3723-c975-4187-af4e-1a03587fbbac.vbs

                                                Filesize

                                                719B

                                                MD5

                                                d0c0ec367f9ea3220f47041faab49a7b

                                                SHA1

                                                0576a36c60545e5d4939023ecde7714c9c08a759

                                                SHA256

                                                5742d4d41d63ddfcbffa9ee8de6e8ffc12bae4b11b3ab662a8663c9f93f43081

                                                SHA512

                                                1d624ee24ce5ea658ba681b0263a273f064b47f73c9b8d72dec9c8f7a66a2230ee56b18e11ed733756ffd3e01374178cf307fc9e6bc7cdbbb282b4c7a6016b60

                                              • C:\Users\Admin\AppData\Local\Temp\84102f20-aa3c-41a3-b2ce-dc2a6492decb.vbs

                                                Filesize

                                                719B

                                                MD5

                                                efa9123c0bd5e1e1498fca82ca2efa71

                                                SHA1

                                                d2b1fe555229875cb64aae262b5d982f8d6782e9

                                                SHA256

                                                faa8dffc57f246ed7c5d0950e52f45723493e97667f6c51b683116e4666e1acd

                                                SHA512

                                                ebe9b6d5e0f09be23b9dd4eb750b57225efe2f0cf9a7044c3880792abdd677d036a189eb0487a3ac8d2d9f147b3f03646ceb3b667649f797dae2262283ee8e01

                                              • C:\Users\Admin\AppData\Local\Temp\8e9d9a49-1964-40e0-a87c-956dab7af13d.vbs

                                                Filesize

                                                719B

                                                MD5

                                                fc0a5ef0e9d30b74883bb204eef97d84

                                                SHA1

                                                885e223a9dfacd2855ba225be5c400e0106b933d

                                                SHA256

                                                8bd2f59616ab514bd7af390ca12f090cac97cf00ae94b3cccc989bf40d8175d0

                                                SHA512

                                                3f032658c12bb016bff845848db6c28a0eec6587d170a06f9b85b30bb932a68aa10630366ba9bb7bb28e3cfe7884d282188aefc394a480225c998c132a4e3537

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_holj3jm3.3my.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Local\Temp\dba74704-55f4-48c4-b364-deafda8e0859.vbs

                                                Filesize

                                                719B

                                                MD5

                                                18cfcb42776f8791b42e6eac73ebd112

                                                SHA1

                                                9be59a1f40696f49beac0e507b55c514f1b67c3d

                                                SHA256

                                                5d3186519abc58a149cc5404092f8146339791da22723f8d3a1d01411a0448c7

                                                SHA512

                                                b949ce8c71ef6b6075acf61471ad37593a6f7a1de72b04443e4a84a452b5c59b9bc00de92c89eece4d3173a89e6c90b9c59072a60b4780695affebbbcb41d04d

                                              • C:\Users\Admin\AppData\Local\Temp\dd466347-92fe-4b91-923b-4398af225e25.vbs

                                                Filesize

                                                719B

                                                MD5

                                                7e5c931533642b309539c913ab0a1693

                                                SHA1

                                                93f9e4afafe187a149c2615aafa558feeab19be8

                                                SHA256

                                                f063f020fb833db7968561146312993d5dea5682c4469e8136bdeff50ca67d16

                                                SHA512

                                                8956528c5bbd28c35806b019ba80e7749e2f0c6bab8fc835c3f3eda05ebf3aecd7d77702768d42fc0107496fb9d49e47a9e95ec46c9ddf094f18da9b76a65538

                                              • C:\Users\Admin\AppData\Local\Temp\e509c3c8-ea34-49f8-810e-9046cb579038.vbs

                                                Filesize

                                                719B

                                                MD5

                                                b86b2f018fc23c0b0e8aebae21cbdb02

                                                SHA1

                                                e30958f057d6a442413dd3656d4b88cd35677cf8

                                                SHA256

                                                e58da27436a4fbedf817cacd8ce52ca392036119713964dfbceae4d720d108e0

                                                SHA512

                                                36680c5f8ef7ada4235a27cc3e7f82262a2aef5a7fdb006ce0c149dc4bf8288920ddeee16f40181d31216b2cd99dbceaaa423c348561f68161e78dd6c2622396

                                              • C:\Users\Admin\AppData\Local\Temp\e60444e0-ec8a-4512-a96a-9e8c27278085.vbs

                                                Filesize

                                                719B

                                                MD5

                                                e824770de22711d3cd276a529b7075d9

                                                SHA1

                                                611a3a69fd3391e7055f5f5b378116fb3fa55546

                                                SHA256

                                                0bdd0708ff43d04705d0ba6934d70626bd686227bccc3113c0d7cb001feb71d8

                                                SHA512

                                                7ca635b7979463cc4bd08580388bad1408fcba8ffe6f6e2e41913c7b19d73138607bf48144ac16e3356d76e9891903bd40bd11536652094a07796c84737daa73

                                              • C:\Users\Admin\AppData\Local\Temp\ea6cf745-b8c8-4d51-a3e3-9214842eddd2.vbs

                                                Filesize

                                                719B

                                                MD5

                                                2883e00831d45118ca620a379489dd7d

                                                SHA1

                                                99ce5af3de445e1a9b3bc4911194eaa653229656

                                                SHA256

                                                229fbe0b441398d981423459c6360bd1c4b6df83c086b6d9893b87cd2e468443

                                                SHA512

                                                5aaa7b3742f11bfb34aedb3eb5d5b4bcc8448f20a00150acf80a8ddd666949c15531e8898890ec1e79fee9292d7d7ef65dd5a75cc7b51d06ce58dcbe4c572e06

                                              • C:\Windows\Installer\backgroundTaskHost.exe

                                                Filesize

                                                3.2MB

                                                MD5

                                                97c77684fa148562c56a1b1da6a926b4

                                                SHA1

                                                c690a41cc2fcd78047a3d25e4774248ea8b8ae1c

                                                SHA256

                                                caf4418761f342717515e968e60c292b267379f1cc3aacd392551cc2a2e8f58b

                                                SHA512

                                                127a3c036797d8ad4175288741e952151bf693ff2841ce327ef95004be67f6ed6cb5e98e68c0d96de228e07673c7dd47e59ad2b7b6b7e3c6c39a153147e88f29

                                              • memory/64-31-0x000000001C8A0000-0x000000001C8A8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-2-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/64-33-0x000000001C900000-0x000000001C90C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-32-0x000000001C8F0000-0x000000001C8FA000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/64-27-0x000000001C760000-0x000000001C76E000-memory.dmp

                                                Filesize

                                                56KB

                                              • memory/64-34-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/64-26-0x000000001C740000-0x000000001C74A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/64-30-0x000000001C890000-0x000000001C89C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-37-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/64-13-0x000000001C530000-0x000000001C53A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/64-10-0x000000001C4A0000-0x000000001C4B6000-memory.dmp

                                                Filesize

                                                88KB

                                              • memory/64-11-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-12-0x000000001C520000-0x000000001C530000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/64-14-0x000000001C540000-0x000000001C596000-memory.dmp

                                                Filesize

                                                344KB

                                              • memory/64-17-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-25-0x000000001C750000-0x000000001C758000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-19-0x000000001C5D0000-0x000000001C5E2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/64-393-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/64-9-0x000000001C490000-0x000000001C4A0000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/64-7-0x000000001C4D0000-0x000000001C520000-memory.dmp

                                                Filesize

                                                320KB

                                              • memory/64-6-0x000000001C460000-0x000000001C47C000-memory.dmp

                                                Filesize

                                                112KB

                                              • memory/64-4-0x00000000031D0000-0x00000000031DE000-memory.dmp

                                                Filesize

                                                56KB

                                              • memory/64-3-0x00000000031C0000-0x00000000031CE000-memory.dmp

                                                Filesize

                                                56KB

                                              • memory/64-28-0x000000001C870000-0x000000001C878000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-29-0x000000001C880000-0x000000001C88E000-memory.dmp

                                                Filesize

                                                56KB

                                              • memory/64-24-0x000000001C630000-0x000000001C63C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-1-0x0000000000EE0000-0x000000000121C000-memory.dmp

                                                Filesize

                                                3.2MB

                                              • memory/64-23-0x000000001C620000-0x000000001C62C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-0-0x00007FF83E493000-0x00007FF83E495000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/64-22-0x000000001C610000-0x000000001C61C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-18-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-20-0x000000001CB30000-0x000000001D058000-memory.dmp

                                                Filesize

                                                5.2MB

                                              • memory/64-16-0x000000001C5A0000-0x000000001C5A8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-15-0x000000001C590000-0x000000001C59C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-21-0x000000001C600000-0x000000001C60C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/64-5-0x000000001C450000-0x000000001C458000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/64-8-0x000000001C480000-0x000000001C488000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/1524-290-0x0000016529F30000-0x0000016529F52000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/2556-475-0x000000001B920000-0x000000001B976000-memory.dmp

                                                Filesize

                                                344KB

                                              • memory/4040-565-0x000000001B7A0000-0x000000001B7B2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4836-531-0x000000001C280000-0x000000001C382000-memory.dmp

                                                Filesize

                                                1.0MB

                                              • memory/5152-392-0x0000000000C50000-0x0000000000F8C000-memory.dmp

                                                Filesize

                                                3.2MB

                                              • memory/5192-473-0x000000001C340000-0x000000001C442000-memory.dmp

                                                Filesize

                                                1.0MB

                                              • memory/5192-462-0x000000001B7D0000-0x000000001B826000-memory.dmp

                                                Filesize

                                                344KB

                                              • memory/5788-519-0x000000001CF10000-0x000000001D012000-memory.dmp

                                                Filesize

                                                1.0MB