Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 06:50

General

  • Target

    990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    990d69ce8a7a58fa44a5071429041ff0

  • SHA1

    0f2603214e0b81c26a094b7e5fe76b7fa40be4b1

  • SHA256

    15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce

  • SHA512

    6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc

  • SSDEEP

    49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Users\Admin\3D Objects\SppExtComObj.exe
      "C:\Users\Admin\3D Objects\SppExtComObj.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1056
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\580e6d49-501c-483a-869b-dac2c20f6530.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Users\Admin\3D Objects\SppExtComObj.exe
          "C:\Users\Admin\3D Objects\SppExtComObj.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1452
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe6c4d6-13d3-4e30-bb46-2d5923511c87.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:772
            • C:\Users\Admin\3D Objects\SppExtComObj.exe
              "C:\Users\Admin\3D Objects\SppExtComObj.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1356
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f42521d-d304-4ca0-9e07-96b98e367b7a.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4192
                • C:\Users\Admin\3D Objects\SppExtComObj.exe
                  "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2844
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2403ed1-88d0-4def-94ee-e65b0f5438fe.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4968
                    • C:\Users\Admin\3D Objects\SppExtComObj.exe
                      "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3800
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69dcb746-bdfd-4d55-ac14-97726c13fc77.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4760
                        • C:\Users\Admin\3D Objects\SppExtComObj.exe
                          "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3240
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16372a9e-090c-4b0f-832b-b6453d83b460.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4908
                            • C:\Users\Admin\3D Objects\SppExtComObj.exe
                              "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                              14⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:3772
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922bd387-fa3d-433a-a1b0-558a256367bf.vbs"
                                15⤵
                                  PID:3548
                                  • C:\Users\Admin\3D Objects\SppExtComObj.exe
                                    "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                                    16⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:4540
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97244f6-647f-4dcc-a433-4fdc7b4809ba.vbs"
                                      17⤵
                                        PID:3440
                                        • C:\Users\Admin\3D Objects\SppExtComObj.exe
                                          "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                                          18⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:736
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feec2a2a-2a22-444b-b4d5-9b3ac93ccaad.vbs"
                                            19⤵
                                              PID:4600
                                              • C:\Users\Admin\3D Objects\SppExtComObj.exe
                                                "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                                                20⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1800
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eefc39f-8364-43e6-b95b-0d7a62a6b78b.vbs"
                                                  21⤵
                                                    PID:4968
                                                    • C:\Users\Admin\3D Objects\SppExtComObj.exe
                                                      "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                                                      22⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:4104
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b698445b-2e7d-46be-898b-796a0cecbce0.vbs"
                                                        23⤵
                                                          PID:496
                                                          • C:\Users\Admin\3D Objects\SppExtComObj.exe
                                                            "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                                                            24⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2848
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3971d7-f84a-4037-9f97-58605f3f601c.vbs"
                                                              25⤵
                                                                PID:1324
                                                                • C:\Users\Admin\3D Objects\SppExtComObj.exe
                                                                  "C:\Users\Admin\3D Objects\SppExtComObj.exe"
                                                                  26⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:4608
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6f3239-54ca-47b9-a8f6-b302f98eff25.vbs"
                                                                    27⤵
                                                                      PID:3996
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d3da84c-652c-4ac1-bf84-5888f73f1a66.vbs"
                                                                      27⤵
                                                                        PID:4632
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\781357dd-8bdd-4b6c-8499-226a598bc7e4.vbs"
                                                                    25⤵
                                                                      PID:3452
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e3fb83-6ccf-40c6-931c-977c41da27e1.vbs"
                                                                  23⤵
                                                                    PID:3148
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b5a343-2940-468d-933d-cc46adec1221.vbs"
                                                                21⤵
                                                                  PID:2968
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6aa1e6-bb90-464b-9539-7e9cb709b362.vbs"
                                                              19⤵
                                                                PID:2756
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb5868a-cc92-4405-b2de-4beb5cb645d7.vbs"
                                                            17⤵
                                                              PID:2448
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eedc1119-48bc-4ddd-8011-6398a5cd4d1b.vbs"
                                                          15⤵
                                                            PID:4088
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae344fa-3040-415e-afad-f49448d84ed3.vbs"
                                                        13⤵
                                                          PID:544
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d4fdff9-780a-4e02-ba1e-9c47a6dbd49e.vbs"
                                                      11⤵
                                                        PID:1648
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a9ee48-457d-46d3-9dfc-0b6b42d9c706.vbs"
                                                    9⤵
                                                      PID:3980
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bc53753-9262-40c8-b44d-4ce12fa3ff01.vbs"
                                                  7⤵
                                                    PID:716
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4d8413-d2c1-49d0-84b6-d12268af822a.vbs"
                                                5⤵
                                                  PID:1760
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72411b9a-1b64-411e-b136-f1c8f2904253.vbs"
                                              3⤵
                                                PID:3928
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:552
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2216
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2984
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3020
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3452
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4756
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2916
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:464
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4424
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3192
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4192
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3488
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5084
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\taskhostw.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1464
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ja-JP\taskhostw.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:232
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\taskhostw.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1080
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1016
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics9" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:496

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            4a667f150a4d1d02f53a9f24d89d53d1

                                            SHA1

                                            306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                            SHA256

                                            414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                            SHA512

                                            4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            4c57d4745a160caa21b0ddaadf7a3f4d

                                            SHA1

                                            6e2d72fb79cf6dce1aacb775feb70bb012c584c9

                                            SHA256

                                            568f9b885549846f2d1d25aa561398ab12f8b50b03a90de95c99b13a68cf097a

                                            SHA512

                                            5dc3ca754c7df9b758aa50a3a4cecad7d2af824f75e0816e9af2c5a779e7b5c6d3a43f17f1b2169c303f5fab8584d211466ee4bf84b7052d2e1baeb957987d3f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            77d622bb1a5b250869a3238b9bc1402b

                                            SHA1

                                            d47f4003c2554b9dfc4c16f22460b331886b191b

                                            SHA256

                                            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                            SHA512

                                            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            6d42b6da621e8df5674e26b799c8e2aa

                                            SHA1

                                            ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                            SHA256

                                            5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                            SHA512

                                            53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            a8e8360d573a4ff072dcc6f09d992c88

                                            SHA1

                                            3446774433ceaf0b400073914facab11b98b6807

                                            SHA256

                                            bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                            SHA512

                                            4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            3a6bad9528f8e23fb5c77fbd81fa28e8

                                            SHA1

                                            f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                            SHA256

                                            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                            SHA512

                                            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            e8ce785f8ccc6d202d56fefc59764945

                                            SHA1

                                            ca032c62ddc5e0f26d84eff9895eb87f14e15960

                                            SHA256

                                            d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                                            SHA512

                                            66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            e243a38635ff9a06c87c2a61a2200656

                                            SHA1

                                            ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                            SHA256

                                            af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                            SHA512

                                            4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                          • C:\Users\Admin\AppData\Local\Temp\0f42521d-d304-4ca0-9e07-96b98e367b7a.vbs

                                            Filesize

                                            718B

                                            MD5

                                            e520781a2f5cf5037a50d8e54101b3be

                                            SHA1

                                            0e97edf01a45b093bb18eb803d4cdffdf3e74d2d

                                            SHA256

                                            3ed1280e67dd66cb4f1093229f5d24aceb2172f1abc36e1ce9d4550c0e99c625

                                            SHA512

                                            30bd8ec98470b81bc8023aa80852c319fc7cc97a752159fa3db8251e73459e4bddd0308b16da236e3e01ba37177fb9c1c7eed118c7e93bc9677e7f611f26b435

                                          • C:\Users\Admin\AppData\Local\Temp\16372a9e-090c-4b0f-832b-b6453d83b460.vbs

                                            Filesize

                                            718B

                                            MD5

                                            83bd100515a66a2b99a1bfcb0fbb6dc7

                                            SHA1

                                            d719d105d95f35ebd9bf9fad2e876e6ec5aff719

                                            SHA256

                                            98179becacdfb9b03928e7c3ea8b84f7aa9f8fd3d523f82de5c514a44c4b9085

                                            SHA512

                                            9c78f77d28450900e127f5a85793e4761679b6eb408de4c880ad8a32540fcbfd171c5a837f8eb89d64a0c087aef50d6c855f8d71d6d3028930287c8f09f336f3

                                          • C:\Users\Admin\AppData\Local\Temp\1a6f3239-54ca-47b9-a8f6-b302f98eff25.vbs

                                            Filesize

                                            718B

                                            MD5

                                            7201d8417f6d1871021949fc594ab97d

                                            SHA1

                                            2f087ecaba329d22b64c5f942a92713e81491800

                                            SHA256

                                            8fcbf6c7f8d6b17eb1c6726cf204b0361b5598ebcbd43f7d3a50b3ee3a65ae0f

                                            SHA512

                                            6b1e606e0ba6f9c35a7fe393cfeb6174619603b0ec35d87b91405b528dafc5b6029b3f8e3e904ddbca2768e15065ccac7a4d18a5f50798bc9df66ddba8a4608b

                                          • C:\Users\Admin\AppData\Local\Temp\3eefc39f-8364-43e6-b95b-0d7a62a6b78b.vbs

                                            Filesize

                                            718B

                                            MD5

                                            6519a5e433b15da4a848c335414c7942

                                            SHA1

                                            978bc03f58bc0e91b6f9a179fa6d6f842f250bfa

                                            SHA256

                                            f30342841f5b56f9bec172ea4f77a5221a52ccbb919a233f2406a690a9228d85

                                            SHA512

                                            345f2bb72de0262a4b31a8c070ade3381d29f32ff0d27071d3de1bf859faf0fe055841f1a4426f6322909971550a87c106ec42a06c71bbe97f9de1960296a9be

                                          • C:\Users\Admin\AppData\Local\Temp\580e6d49-501c-483a-869b-dac2c20f6530.vbs

                                            Filesize

                                            718B

                                            MD5

                                            c6dcf7c999646ea90eacbb390f583e10

                                            SHA1

                                            c5090848bfb0aa5749083855fd583c368a95460a

                                            SHA256

                                            3b95cbb846ed51d309c1a27888a45f23f8404995727a8c9b033e51d5a567bbe7

                                            SHA512

                                            0be59f57e3f68e565621fb31985837318f68facd719bcd55a24a4ec3fc8635a04daae6b142bb3a1f117b8d519488b763aefd2e0faf67ed1c76027776dd7167c9

                                          • C:\Users\Admin\AppData\Local\Temp\69dcb746-bdfd-4d55-ac14-97726c13fc77.vbs

                                            Filesize

                                            718B

                                            MD5

                                            013faa0bf813df9fb49178363827f92e

                                            SHA1

                                            5fe6b5ff14ca8e3e62a6e94d79f10501cf9de1c5

                                            SHA256

                                            d1bed1a1d9af430d1fc3d065d5d1a4b269f23bad1899bbf82ae69610e1737f9a

                                            SHA512

                                            02e6cb8bc8f1674105c3a8a08ca3bfca8cb24af3d62732de4a272bf63a720c4ba8cab04c3e1d72aeffaa6ea50bfdb77a475d96d9a97bb5f92926670f12b6eeda

                                          • C:\Users\Admin\AppData\Local\Temp\72411b9a-1b64-411e-b136-f1c8f2904253.vbs

                                            Filesize

                                            494B

                                            MD5

                                            a5de92cbd714590d45b4f55287bfa881

                                            SHA1

                                            a97c28f3fb2efbb18acae5cad5bc2e648ce73a5d

                                            SHA256

                                            db5957c7d45d46bc8d23e5f9909034e2ee593cc49deb67e7d11c6681144b0466

                                            SHA512

                                            db3d0a7b02e065dc5d74d5d6af3f0d94e1d5211efc442b35936b32e3f18b23217bf9c673290069f378c23f96a190446e2fc3879965c6ffa34fc991ab57d7b934

                                          • C:\Users\Admin\AppData\Local\Temp\922bd387-fa3d-433a-a1b0-558a256367bf.vbs

                                            Filesize

                                            718B

                                            MD5

                                            5abb59989560c2fea91f18d7838068fe

                                            SHA1

                                            5cd1533fc6dd57551dda3537c22ffd815abd3339

                                            SHA256

                                            220e2962ecf7ce53a8851eacb7dd65d2c711e0237abc23ba28b0ddc728a3caa6

                                            SHA512

                                            65fcfc7fe30ad2916a76ed595e4edbbac65d49d7811505ea0af6014c005c7fb74925418b20e34bff12a0dbdae0e0f3833a44c2c20ef3e7c31c16508c314c9785

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y51vbf0s.01m.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\b698445b-2e7d-46be-898b-796a0cecbce0.vbs

                                            Filesize

                                            718B

                                            MD5

                                            f5e58d8e80dee00d174276ec00375efa

                                            SHA1

                                            b217de7063451b9a46b494c646ec1fddac32eb6a

                                            SHA256

                                            d16e1670aa57c22be8d056eda3e62319e7672f821bdaca8f73fdbfe5302eacc8

                                            SHA512

                                            5cfa3404dd974e18159d26776ff3f42f4d05be90a42f5ddad7fd35f3e6033460d214a43b952b0ee85a9f0471f9796f81e26c3883a1f84e48dddcdfc94438a9d4

                                          • C:\Users\Admin\AppData\Local\Temp\c2403ed1-88d0-4def-94ee-e65b0f5438fe.vbs

                                            Filesize

                                            718B

                                            MD5

                                            91de3dfec418c70ae39d6507c9b2ceba

                                            SHA1

                                            3b52328a9682b572dd1e0d137e33e2fc0689b1b0

                                            SHA256

                                            48e382747b2e1dc7a9fa4e72010c718827d10532181d156e296628857e58f222

                                            SHA512

                                            d8709e031aa0d0a93ca408878c0095a3ce1de817014f8cc518fb4f974b7ba3f07099f5a6c74921231539e014f79a077b076e24446eb0a93ed30eebe184f73dac

                                          • C:\Users\Admin\AppData\Local\Temp\d97244f6-647f-4dcc-a433-4fdc7b4809ba.vbs

                                            Filesize

                                            718B

                                            MD5

                                            2b6901c2dfeeb0ac8fef18794968e1bd

                                            SHA1

                                            babff4bc382a1fdb544770d6218272fd383eb33b

                                            SHA256

                                            9705dd0b9cf8fbb392bee8bc26cf1a9cd197f65b389d347efdbf6ba24a279859

                                            SHA512

                                            230e6c21ea31d0bca2e1a7b7274c86a381a34fba41a5dcbdc48d1f53e91aff3f6e6785bdde72ba4e4c0195c0480228f5d37f28b77c6872e6feddf103d60117fe

                                          • C:\Users\Admin\AppData\Local\Temp\ee3971d7-f84a-4037-9f97-58605f3f601c.vbs

                                            Filesize

                                            718B

                                            MD5

                                            f5bc2ca43dd4e556b28d96c73574987c

                                            SHA1

                                            16634219c4311932c4f464fd1604ab8713d75856

                                            SHA256

                                            fec3bb781902107ad1d22bb73051b04431c666945f49998097174c8e4f157222

                                            SHA512

                                            4ad71e8c9805aa9332df6347ec3b7b50e0613be9227e56eab83591c5c3a2a102bfa6e9334568efe7adf52499a351abb57091792a16cd177a8dc26f981d3f380a

                                          • C:\Users\Admin\AppData\Local\Temp\efe6c4d6-13d3-4e30-bb46-2d5923511c87.vbs

                                            Filesize

                                            718B

                                            MD5

                                            2ce1b2ed44fd64355f48656b60b3fca9

                                            SHA1

                                            a790b5038ce9d289f37356819fad5765acdeb9db

                                            SHA256

                                            d409324b7b093d461b6549fe661317a5c50ff7492961a48949ec26365ab96d73

                                            SHA512

                                            4cf00eb02f774949bc135e4e246eddc863e323a8c0b48c509f3ba620639a3a6fe02b5408269a027c946f039c6d3b7b738aead4720217936d6a1e96a3f39bc6eb

                                          • C:\Users\Admin\AppData\Local\Temp\feec2a2a-2a22-444b-b4d5-9b3ac93ccaad.vbs

                                            Filesize

                                            717B

                                            MD5

                                            5076cc7c56f86fb6f4d7f84130ffdfd1

                                            SHA1

                                            ef5db15598b91f65a2f5366acff769bed881bad5

                                            SHA256

                                            fc1afd9b06788cbc931e5c1645693f2ee06a13290321fe984ef25c8bc8ed6877

                                            SHA512

                                            f180bb1e7f70f9e04b8b1002b632a250ddb5a610183df81b9c47abbb759808c5d47251ad1cad37ebddcfdd96a89c5b5788428b4fdf04d97b1a52027deb52283c

                                          • C:\Users\Public\AccountPictures\upfc.exe

                                            Filesize

                                            2.9MB

                                            MD5

                                            990d69ce8a7a58fa44a5071429041ff0

                                            SHA1

                                            0f2603214e0b81c26a094b7e5fe76b7fa40be4b1

                                            SHA256

                                            15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce

                                            SHA512

                                            6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc

                                          • memory/736-412-0x000000001B6B0000-0x000000001B706000-memory.dmp

                                            Filesize

                                            344KB

                                          • memory/1452-332-0x000000001B340000-0x000000001B352000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2020-14-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-15-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2020-1-0x0000000000360000-0x0000000000646000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2020-26-0x000000001BB80000-0x000000001BB8A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2020-296-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2020-27-0x000000001BB90000-0x000000001BB9C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2020-24-0x000000001BB60000-0x000000001BB6C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2020-23-0x000000001BB50000-0x000000001BB5E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/2020-22-0x000000001BB40000-0x000000001BB48000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-20-0x000000001BB20000-0x000000001BB2A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2020-21-0x000000001BB30000-0x000000001BB3E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/2020-19-0x000000001BB10000-0x000000001BB18000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-18-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-17-0x000000001C040000-0x000000001C568000-memory.dmp

                                            Filesize

                                            5.2MB

                                          • memory/2020-16-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2020-25-0x000000001BB70000-0x000000001BB78000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/2020-13-0x000000001B490000-0x000000001B49C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2020-12-0x000000001B440000-0x000000001B496000-memory.dmp

                                            Filesize

                                            344KB

                                          • memory/2020-2-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2020-11-0x000000001B430000-0x000000001B43A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2020-4-0x000000001B2C0000-0x000000001B310000-memory.dmp

                                            Filesize

                                            320KB

                                          • memory/2020-5-0x0000000002A70000-0x0000000002A78000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-3-0x000000001B250000-0x000000001B26C000-memory.dmp

                                            Filesize

                                            112KB

                                          • memory/2020-7-0x000000001B280000-0x000000001B296000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/2020-10-0x000000001B420000-0x000000001B430000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/2020-9-0x000000001B2B0000-0x000000001B2B8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-8-0x000000001B2A0000-0x000000001B2A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2020-6-0x000000001B270000-0x000000001B280000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/2572-190-0x00000252AF700000-0x00000252AF722000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/2844-355-0x000000001BDC0000-0x000000001BDD2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3772-389-0x000000001B570000-0x000000001B582000-memory.dmp

                                            Filesize

                                            72KB